SUSE-SLE-Module-Containers-15-SP4-2022-2680 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for buildah fixes the following issues: - CVE-2022-27651: Fixed incorrect default inheritable capabilities for linux container (bsc#1197870). Update to version 1.25.1. The following non-security bugs were fixed: - add workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1183043 buildah-1.25.1-150400.3.3.28.src.rpm buildah-1.25.1-150400.3.3.28.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-1689 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd, docker fixes the following issues: - CVE-2022-24769: Fixed incorrect default inheritable capabilities (bsc#1197517). - CVE-2022-23648: Fixed directory traversal issue (bsc#1196441). - CVE-2022-27191: Fixed a crash in a golang.org/x/crypto/ssh server (bsc#1197284). - CVE-2021-43565: Fixed a panic in golang.org/x/crypto by empty plaintext packet (bsc#1193930). Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? containerd-1.5.11-150000.68.1.src.rpm containerd-1.5.11-150000.68.1.x86_64.rpm docker-20.10.14_ce-150000.163.1.src.rpm docker-20.10.14_ce-150000.163.1.x86_64.rpm docker-bash-completion-20.10.14_ce-150000.163.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2022-1888 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm-mirror fixes the following issues: - Updated to version 0.3.1: - CVE-2019-18658: Fixed a potential symbolic link issue in helm that could be used to leak sensitive files (bsc#1156646). helm-mirror-0.3.1-150000.1.13.1.src.rpm helm-mirror-0.3.1-150000.1.13.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-2341 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd, docker and runc fixes the following issues: containerd: - CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145) docker: - Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145) runc: Update to runc v1.1.3. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3. * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing). * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. * Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. * When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. * Socket activation was failing when more than 3 sockets were used. * Various CI fixes. * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. - Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565) Update to runc v1.1.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2. Security issue fixed: - CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460) - `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file. Update to runc v1.1.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1. * runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355) * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404) * Loosen OCI spec validation to avoid bogus "Intel RDT is not supported" error. (#3406) * libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435) Update to runc v1.1.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0. - libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331) Update to runc v1.1.0~rc1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1. + Add support for RDMA cgroup added in Linux 4.11. * runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed. + runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited. + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL). + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host. + checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore. + intelrdt: support ClosID parameter. + runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed. + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it). + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour. + mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users. + Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro). + Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130. * system: improve performance of /proc/$pid/stat parsing. * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process. * runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink. * cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container. * runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused. - Update version data embedded in binary to correctly include the git commit of the release. Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? containerd-1.6.6-150000.73.2.src.rpm containerd-1.6.6-150000.73.2.x86_64.rpm containerd-ctr-1.6.6-150000.73.2.x86_64.rpm docker-20.10.17_ce-150000.166.1.src.rpm docker-20.10.17_ce-150000.166.1.x86_64.rpm docker-bash-completion-20.10.17_ce-150000.166.1.noarch.rpm runc-1.1.3-150000.30.1.src.rpm runc-1.1.3-150000.30.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3666 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: helm was updated to version 3.9.4: * CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054). * Updating the certificates used for testing * Updating index handling helm was updated to version 3.9.3: - CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528). * Fix missing array length check on release helm was updated to version 3.9.2: * Update of the circleci image helm was updated to version 3.9.1: * Update to support Kubernetes 1.24.2 * Improve logging and safety of statefulSetReady * Make token caching an opt-in feature * Bump github.com/lib/pq from 1.10.5 to 1.10.6 * Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 helm was updated to version 3.9.0: * Added a --quiet flag to helm lint * Added a --post-renderer-args flag to support arguments being passed to the post renderer * Added more checks during the signing process * Updated to add Kubernetes 1.24 support helm was updated to version 3.8.2: * Bump oras.land/oras-go from 1.1.0 to 1.1.1 * Fixing downloader plugin error handling * Simplify testdata charts * Simplify testdata charts * Add tests for multi-level dependencies. * Fix value precedence * Bumping Kubernetes package versions * Updating vcs to latest version * Dont modify provided transport * Pass http getter as pointer in tests * Add docs block * Add transport option and tests * Reuse http transport * Updating Kubernetes libs to 0.23.4 (latest) * fix: remove deadcode * fix: helm package tests * fix: helm package with dependency update for charts with OCI dependencies * Fix typo Unset the env var before func return in Unit Test * add legal name check * maint: fix syntax error in deploy.sh * linting issue fixed * only apply overwrite if version is canary * overwrite flag added to az storage blob upload-batch * Avoid querying for OCI tags can explicit version provided in chart dependencies * Management of bearer tokens for tag listing * Updating Kubernetes packages to 1.23.3 * refactor: use `os.ReadDir` for lightweight directory reading * Add IngressClass to manifests to be (un)installed * feat(comp): Shell completion for OCI * Fix install memory/goroutine leak helm-3.9.4-150000.1.10.3.src.rpm helm-3.9.4-150000.1.10.3.x86_64.rpm helm-bash-completion-3.9.4-150000.1.10.3.noarch.rpm helm-zsh-completion-3.9.4-150000.1.10.3.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2022-2834 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for podman fixes the following issues: Updated to version 3.4.7: - CVE-2022-1227: Fixed an issue that could allow an attacker to publish a malicious image to a public registry and run arbitrary code in the victim's context via the 'podman top' command (bsc#1182428). - CVE-2022-27191: Fixed a potential crash via SSH under specific configurations (bsc#1197284). - CVE-2022-21698: Fixed a potential denial of service that affected servers that used Prometheus instrumentation (bsc#1196338). podman-3.4.7-150400.4.3.1.src.rpm podman-3.4.7-150400.4.3.1.x86_64.rpm podman-cni-config-3.4.7-150400.4.3.1.noarch.rpm podman-docker-3.4.7-150400.4.3.1.noarch.rpm podman-remote-3.4.7-150400.4.3.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3655 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for buildah fixes the following issues: Buildah was updated to version 1.27.1: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed a possible information disclosure and modification (bsc#1202812). buildah-1.27.1-150400.3.8.1.src.rpm buildah-1.27.1-150400.3.8.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-2972 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This feature update for python-kubernetes provides: - Deliver python3-kubernetes to the Containers Module 15 SP4. (jsc#SLE-17904, MSC-443) * Deliver python3-google-auth to Basesystem Module 15 SP4 as dependency of python3-kubernetes. * Deliver python3-cachetools to Basesystem Module 15 SP4 as dependency of python3-google-auth. - There are no visible changes for the final user. python-kubernetes-8.0.1-150100.3.7.1.src.rpm python3-kubernetes-8.0.1-150100.3.7.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3134 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for distribution fixes the following issues: This update provides Distribution 2.8.1. (jsc#SLE-24963) distribution-2.8.1-150400.9.8.1.src.rpm distribution-registry-2.8.1-150400.9.8.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3435 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for runc fixes the following issues: - Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd. - Fix "permission denied" error from runc run on noexec fs - Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821) runc-1.1.4-150000.33.4.src.rpm runc-1.1.4-150000.33.4.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3333 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: The kubevirt stack was updated to version 0.54.0 Release notes https://github.com/kubevirt/kubevirt/releases/tag/v0.54.0 Security fixes: - CVE-2022-1798: Fix arbitrary file read on the host from KubeVirt VMs (bsc#1202516) Security fixes in vendored dependencies: - CVE-2022-1996: Fixed go-restful CORS bypass bsc#1200528) - CVE-2022-29162: Fixed runc incorrect handling of inheritable capabilities in default configuration (bsc#1199460) - Fix containerdisk unmount logic - Support topology spread constraints - Update libvirt-go to fix memory leak - Pack nft rules and nsswitch.conf for virt-handler - Only create 1MiB-aligned disk images (bsc#1199603) - Avoid to return nil failure message - Use semantic equality comparison - Drop kubevirt-psp-caasp.yaml - Allow to configure utility containers for update test - Symlink nsswitch.conf and nft rules to proper locations - Drop unused package libvirt-client - Install vim-small instead of vim - Remove unneeded libvirt-daemon-driver-storage-core - Install missing packages ethtool and gawk. Fixes bsc#1199392 kubevirt-0.54.0-150400.3.3.2.src.rpm kubevirt-manifests-0.54.0-150400.3.3.2.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.3.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3334 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer fixes the following issues: Update to version 1.51.0 - Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.51.0 Security issues fixed in vendored dependencies: - CVE-2022-1996: Fixed CORS bypass (bsc#1200528) - Include additional tools used by cdi-importer: cdi-containerimage-server cdi-image-size-detection cdi-source-update-poller - Pack only cdi-operator and cdi-cr release manifests - Install tar for cloning filesystem PVCs containerized-data-importer-1.51.0-150400.4.3.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.3.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3336 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for distribution fixes the following issues: - Explicitly require nologin shell which is needed for registry system user (bsc#1203324) distribution-2.8.1-150400.9.11.1.src.rpm distribution-registry-2.8.1-150400.9.11.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3820 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for podman fixes the following issues: - CVE-2022-2989: Fixed possible information disclosure and modification (bsc#1202809). podman-3.4.7-150400.4.6.1.src.rpm podman-3.4.7-150400.4.6.1.x86_64.rpm podman-cni-config-3.4.7-150400.4.6.1.noarch.rpm podman-docker-3.4.7-150400.4.6.1.noarch.rpm podman-remote-3.4.7-150400.4.6.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3900 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for docker fixes the following issues: - Fix a crash-on-start issue with dockerd (bsc#1200022) Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? docker-20.10.17_ce-150000.169.1.src.rpm docker-20.10.17_ce-150000.169.1.x86_64.rpm docker-bash-completion-20.10.17_ce-150000.169.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3927 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for runc fixes the following issues: - Update to runc v1.1.4 (bsc#1202021) - Fix failed exec after systemctl daemon-reload (bsc#1202821) - Fix mounting via wrong proc - Fix "permission denied" error from runc run on noexec filesystem runc-1.1.4-150000.36.1.src.rpm runc-1.1.4-150000.36.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3781 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect is a rebuilt of the previous sources against the current security updated go compiler. container-suseconnect-2.3.0-150000.4.19.2.src.rpm container-suseconnect-2.3.0-150000.4.19.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4268 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.23 fixes the following issues: - Add kubernetes 1.23.9 (bsc#1195391) kubernetes1.23-1.23.9-150300.7.3.5.src.rpm kubernetes1.23-client-1.23.9-150300.7.3.5.x86_64.rpm kubernetes1.23-client-common-1.23.9-150300.7.3.5.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4213 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for libnvidia-container, nvidia-container-toolkit fixes the following issues: Both nvidia-container-toolkit and libnvidia-container were updated to version 1.11.0 (jsc#SLE-18750): 1.11.0: - Added support for injection of GPUDirect Storage and MOFED devices into containerized environments. 1.10.0: - Improving support for Tegra-based systems 1.9.0: - Added multi-arch support for the container-toolkit images. - Enhancements for use on Tegra-systems and some notable bugfixes. 1.8.1: - This release is a bugfix release that fixes issues around cgroups found in NVIDIA Container Toolkit 1.8.0. 1.8.0: - It adds cgroupv2 support to the NVIDIA Container Toolkit and removes packaging support for Amazonlinux1. libnvidia-container-1.11.0-150200.5.6.1.src.rpm libnvidia-container-devel-1.11.0-150200.5.6.1.x86_64.rpm libnvidia-container-static-1.11.0-150200.5.6.1.x86_64.rpm libnvidia-container-tools-1.11.0-150200.5.6.1.x86_64.rpm libnvidia-container1-1.11.0-150200.5.6.1.x86_64.rpm nvidia-container-toolkit-1.11.0-150200.5.6.1.src.rpm nvidia-container-toolkit-1.11.0-150200.5.6.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3969 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update provides rebuilds of the kubevirt containers with up to date base images, fixing various security issues. kubevirt-0.54.0-150400.3.5.1.src.rpm kubevirt-manifests-0.54.0-150400.3.5.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.5.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-3970 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update rebuilds the current containeried data importer images against current base images, to fix security issues. containerized-data-importer-1.51.0-150400.4.5.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.5.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4147 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update provides rebuilds of the kubevirt containers with up to date base images, fixing various security issues. kubevirt-0.54.0-150400.3.7.1.src.rpm kubevirt-manifests-0.54.0-150400.3.7.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.7.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4191 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update rebuilds the current containeried data importer images against current base images, to fix security issues. containerized-data-importer-1.51.0-150400.4.7.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.7.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4592 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cni fixes the following issues: - CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961). cni-0.7.1-150100.3.8.1.src.rpm cni-0.7.1-150100.3.8.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4593 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cni-plugins fixes the following issues: - CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961). cni-plugins-0.8.6-150100.3.11.1.src.rpm cni-plugins-0.8.6-150100.3.11.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4349 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for buildah fixes the following issues: Version update to 1.28.2. - CVE-2022-2990: Fixed a possible information disclosure and modification vulnerability (bsc#1202812). - CVE-2020-10696: Fixed an issue with a crafted input tar file that may lead to a local file overwriting during image build process (bsc#1167864). buildah-1.28.2-150400.3.11.1.src.rpm buildah-1.28.2-150400.3.11.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4458 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.4.0 (jsc#PED-1710): * Fix docker build example for non-SLE hosts * Minor fixes to --help and README * Improve documentation when building with podman on non-SLE host * Add flag --log-credentials-errors * Update capture to the 1.0.0 release * Use URL.Redacted() to avoid security scanner warning * Regcode fix - strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827) container-suseconnect-2.4.0-150000.4.22.1.src.rpm container-suseconnect-2.4.0-150000.4.22.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-187 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for podman fixes the following issues: podman was updated to version 4.3.1: 4.3.1: * Bugfixes - Fixed a deadlock between the `podman ps` and `podman container inspect` commands * Misc - Updated the containers/image library to v5.23.1 4.3.0: * Features - A new command, `podman generate spec`, has been added, which creates a JSON struct based on a given container that can be used with the Podman REST API to create containers. - A new command, `podman update`, has been added,which makes changes to the resource limits of existing containers. Please note that these changes do not persist if the container is restarted - A new command, `podman kube down`, has been added, which removes pods and containers created by the given Kubernetes YAML (functionality is identical to `podman kube play --down`, but it now has its own command). - The `podman kube play` command now supports Kubernetes secrets using Podman's secrets backend. - Systemd-managed pods created by the `podman kube play` command now integrate with sd-notify, using the `io.containers.sdnotify` annotation (or `io.containers.sdnotify/$name` for specific containers). - Systemd-managed pods created by `podman kube play` can now be auto-updated, using the `io.containers.auto-update` annotation (or `io.containers.auto-update/$name` for specific containers). - The `podman kube play` command can now read YAML from URLs, e.g. `podman kube play https://example.com/demo.yml` - The `podman kube play` command now supports the `emptyDir` volume type - The `podman kube play` command now supports the `HostUsers` field in the pod spec. - The `podman play kube` command now supports `binaryData` in ConfigMaps. - The `podman pod create` command can now set additional resource limits for pods using the new `--memory-swap`, `--cpuset-mems`, `--device-read-bps`, `--device-write-bps`, `--blkio-weight`, `--blkio-weight-device`, and `--cpu-shares` options. - The `podman machine init` command now supports a new option, `--username`, to set the username that will be used to connect to the VM as a non-root user - The `podman volume create` command's `-o timeout=` option can now set a timeout of 0, indicating volume plugin operations will never time out. - Added support for a new volume driver, `image`, which allows volumes to be created that are backed by images. - The `podman run` and `podman create` commands support a new option, `--env-merge`, allowing environment variables to be specified relative to other environment variables in the image (e.g. `podman run --env-merge "PATH=$PATH:/my/app" ...`) - The `podman run` and `podman create` commands support a new option, `--on-failure`, to allow action to be taken when a container fails health checks, with the following supported actions: `none` (take no action, the default), `kill` (kill the container), `restart` (restart the container), and `stop` (stop the container). - The `--keep-id` option to `podman create` and `podman run` now supports new options, `uid` and `gid`, to set the UID and GID of the user in the container that will be mapped to the user running Podman (e.g. `--userns=keep-id:uid=11` will made the user running Podman to UID 11 in the container) - The `podman generate systemd` command now supports a new option, `--env`/`-e`, to set environment variables in the generated unit file - The `podman pause` and `podman unpause` commands now support the `--latest`, `--cidfile`, and `--filter` options. - The `podman restart` command now supports the `--cidfile` and `--filter` options. - The `podman rm` command now supports the `--filter` option to select which containers will be removed. - The `podman rmi` command now supports a new option, `--no-prune`, to prevent the removal of dangling parents of removed images. - The `--dns-opt` option to `podman create`, `podman run`, and `podman pod create` has received a new alias, `--dns-option`, to improve Docker compatibility. - The `podman` command now features a new global flag, `--debug`/`-D`, which enables debug-level logging (identical to `--log-level=debug`), improving Docker compatibility. - The `podman` command now features a new global flag, `--config`. This flag is ignored, and is only included for Docker compatibility - The `podman manifest create` command now accepts a new option, `--amend`/`-a`. - The `podman manifest create`, `podman manifest add` and `podman manifest push` commands now accept a new option, `--insecure` (identical to `--tls-verify=false`), improving Docker compatibility. - The `podman secret create` command's `--driver` and `--format` options now have new aliases, `-d` for `--driver` and `-f` for `--format`. - The `podman secret create` command now supports a new option, `--label`/`-l`, to add labels to created secrets. - The `podman secret ls` command now accepts the `--quiet`/`-q` option. - The `podman secret inspect` command now accepts a new option, `--pretty`, to print output in human-readable format. - The `podman stats` command now accepts the `--no-trunc` option. - The `podman save` command now accepts the `--signature-policy` option - The `podman pod inspect` command now allows multiple arguments to be passed. If so, it will return a JSON array of the inspected pods - A series of new hidden commands have been added under `podman context` as aliases to existing `podman system connection` commands, to improve Docker compatibility. - The remote Podman client now supports proxying signals for attach sessions when the `--sig-proxy` option is set ### Changes - Duplicate volume mounts are now allowed with the `-v` option to `podman run`, `podman create`, and `podman pod create`, so long as source, destination, and options all match - The `podman generate kube` and `podman play kube` commands have been renamed to `podman kube generate` and `podman kube play` to group Kubernetes-related commands. Aliases have been added to ensure the old command names still function. - A number of Podman commands (`podman init`, `podman container checkpoint`, `podman container restore`, `podman container cleanup`) now print the user-inputted name of the container, instead of its full ID, on success. - When an unsupported option (e.g. resource limit) is specified for a rootless container on a cgroups v1 system, a warning message is now printed that the limit will not be honored. - The installer for the Windows Podman client has been improved. - The `--cpu-rt-period` and `--cpu-rt-runtime` options to `podman run` and `podman create` now print a warning and are ignored on cgroups v2 systems (cgroups v2 having dropped support for these controllers) - Privileged containers running systemd will no longer mount `/dev/tty*` devices other than `/dev/tty` itself into the container - Events for containers that are part of a pod now include the ID of the pod in the event. - SSH functionality for `podman machine` commands has seen a thorough rework, addressing many issues about authentication. - The `--network` option to `podman kube play` now allows passing `host` to set the pod to use host networking, even if the YAML does not request this. - The `podman inspect` command on containers now includes the digest of the image used to create the container. - Pods created by `podman play kube` are now, by default, placed into a network named `podman-kube`. If the `podman-kube` network does not exist, it will be created. This ensures pods can connect to each other by their names, as the network has DNS enabled. Update to version 4.2.0: * Features - Podman now supports the Gitlab Runner (using the Docker executor), allowing its use in Gitlab CI/CD pipelines. - A new command has been added, podman pod clone, to create a copy of an existing pod. It supports several options, including --start to start the new pod, --destroy to remove the original pod, and --name to change the name of the new pod - A new command has been added, podman volume reload, to sync changes in state between Podman's database and any configured volume plugins - A new command has been added, podman machine info, which displays information about the host and the versions of various machine components. - Pods created by podman play kube can now be managed by systemd unit files. This can be done via a new systemd service, podman-kube@.service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the Kubernetes pod or deployment contained in my.yaml under systemd. - The podman play kube command now honors the RunAsUser, RunAsGroup, and SupplementalGroups setting from the Kubernetes pod's security context. - The podman play kube command now supports volumes with the BlockDevice and CharDevice types - The podman play kube command now features a new flag, --userns, to set the user namespace of created pods. Two values are allowed at present: host and auto - The podman play kube command now supports setting the type of created init containers via the io.podman.annotations.init.container.type annotation. - Pods now have include an exit policy (configurable via the --exit-policy option to podman pod create), which determines what will happen to the pod's infra container when the entire pod stops. The default, continue, acts as Podman currently does, while a new option, stop, stops the infra container after the last container in the pod stops, and is used by default for pods from podman play kube - The podman pod create command now allows the pod's name to be specified as an argument, instead of using the --name option - for example, podman pod create mypod instead of the prior podman pod create --name mypod. Please note that the --name option is not deprecated and will continue to work. - The podman pod create command's --share option now supports adding namespaces to the set by prefacing them with + (as opposed to specifying all namespaces that should be shared) - The podman pod create command has a new option, --shm-size, to specify the size of the /dev/shm mount that will be shared if the pod shares its UTS namespace (#14609). - The podman pod create command has a new option, --uts, to configure the UTS namespace that will be shared by containers in the pod. - The podman pod create command now supports setting pod-level resource limits via the --cpus, --cpuset-cpus, and --memory options. These will set a limit for all containers in the pod, while individual containers within the pod are allowed to set further limits. Look forward to more options for resource limits in our next release! - The podman create and podman run commands now include the -c short option for the --cpu-shares option. - The podman create and podman run commands can now create containers from a manifest list (and not an image) as long as the --platform option is specified (#14773). - The podman build command now supports a new option, --cpp-flag, to specify options for the C preprocessor when using Containerfile.in files that require preprocessing. - The podman build command now supports a new option, --build-context, allowing the user to specify an additional build context. - The podman machine inspect command now prints the location of the VM's Podman API socket on the host (#14231). - The podman machine init command on Windows now fetches an image with packages pre-installed (#14698). - Unused, cached Podman machine VM images are now cleaned up automatically. Note that because Podman now caches in a different directory, this will not clean up old images pulled before this change (#14697). - The default for the --image-volume option to podman run and podman create can now have its default set through the image_volume_mode setting in containers.conf (#14230). - Overlay volumes now support two new options, workdir and upperdir, to allow multiple overlay volumes from different containers to reuse the same workdir or upperdir (#14427). - The podman volume create command now supports two new options, copy and nocopy, to control whether contents from the overmounted folder in a container will be copied into the newly-created named volume (copy-up). - Volumes created using a volume plugin can now specify a timeout for all operations that contact the volume plugin (replacing the standard 5 second timeout) via the --opt o=timeout= option to podman volume create (BZ 2080458). - The podman volume ls command's --filter name= option now supports regular expression matching for volume names (#14583). - When used with a podman machine VM, volumes now support specification of the 9p security model using the security_model option to podman create -v and podman run -v. - The remote Podman client's podman push command now supports the --remove-signatures option (#14558). - The remote Podman client now supports the podman image scp command. - The podman image scp command now supports tagging the transferred image with a new name. - The podman network ls command supports a new filter, --filter dangling=, to list networks not presently used by any containers (#14595). - The --condition option to podman wait can now be specified multiple times to wait on any one of multiple conditions. - The podman events command now includes the -f short option for the --filter option. - The podman pull command now includes the -a short option for the --all-tags option. - The podman stop command now includes a new flag, --filter, to filter which containers will be stopped (e.g. podman stop --all --filter label=COM.MY.APP). - The Podman global option --url now has two aliases: -H and --host. - The podman network create command now supports a new option with the default bridge driver, --opt isolate=, which isolates the network by blocking any traffic from it to any other network with the isolate option enabled. This option is enabled by default for networks created using the Docker-compatible API. - Added the ability to create sigstore signatures in podman push and podman manifest push. - Added an option to read image signing passphrase from a file. * Changes - Paused containers can now be killed with the podman kill command. - The podman system prune command now removes unused networks. - The --userns=keep-id and --userns=nomap options to the podman run and podman create commands are no longer allowed (instead of simply being ignored) with root Podman. - If the /run directory for a container is part of a volume, Podman will not create the /run/.containerenv file (#14577). - The podman machine stop command on macOS now waits for the machine to be completely stopped to exit (#14148). - All podman machine commands now only support being run as rootless, given that VMs only functioned when run rootless. - The podman unpause --all command will now only attempt to unpause containers that are paused, not all containers. - Init containers created with podman play kube now default to the once type (#14877). - Pods created with no shared namespaces will no longer create an infra container unless one is explicitly requested (#15048). - The podman create, podman run, and podman cp commands can now autocomplete paths in the image or container via the shell completion. - The libpod/common package has been removed as it's not used anywhere. - The --userns option to podman create and podman run is no longer accepted when an explicit UID or GID mapping is specified (#15233). * Misc - Podman will now check for nameservers in /run/NetworkManager/no-stub-resolv.conf if the /etc/resolv.conf file only contains a localhost server. - The podman build command now supports caching with builds that specify --squash-all by allowing the --layers flag to be used at the same time. - Podman Machine support for QEMU installations at non-default paths has been improved. - The podman machine ssh command no longer prints spurious warnings every time it is run. - When accessing the WSL prompt on Windows, the rootless user will be preferred. - The podman info command now includes a field for information on supported authentication plugins for improved Docker compatibility. Authentication plugins are not presently supported by Podman, so this field is always empty. - The podman system prune command now no longer prints the Deleted Images header if no images were pruned. - The podman system service command now automatically creates and moves to a sub-cgroup when running in the root cgroup (#14573). - Updated Buildah to v1.27.0 (fixes CVE-2022-21698 / bsc#1196338) - Updated the containers/image library to v5.22.0 - Updated the containers/storage library to v1.42.0 (fixes bsc#1196751) - Updated the containers/common library to v0.49.1 - Podman will automatically create a sub-cgroup and move itself into it when it detects that it is running inside a container (#14884). - Fixed an incorrect release note about regexp. - A new MacOS installer (via pkginstaller) is now supported. Update to version 4.1.1: * The output of the podman load command now mirrors that of docker load. * Podman now supports Docker Compose v2.2 and higher. Please note that it may be necessary to disable the use of Buildkit by setting the environment variable DOCKER_BUILDKIT=0. * A new container command has been added, podman container clone. This command makes a copy of an existing container, with the ability to change some settings (e.g. resource limits) while doing so. * Podman now supports sending JSON events related to machines to a Unix socket named machine_events.*\.sock in XDG_RUNTIME_DIR/podman or to a socket whose path is set in the PODMAN_MACHINE_EVENTS_SOCK environment variable. * Two new volume commands have been added, podman volume mount and podman volume unmount. These allow for Podman-managed named volumes to be mounted and accessed from outside containers. * The podman container checkpoint and podman container restore options now support checkpointing to and restoring from OCI images. This allows checkpoints to be distributed via standard image registries. * The podman play kube command now supports environment variables that are specified using the fieldRef and resourceFieldRef sources. * The podman play kube command will now set default resource limits when the provided YAML does not include them. * The podman play kube command now supports a new option, --annotation, to add annotations to created containers. * The podman play kube --build command now supports a new option, --context-dir, which allows the user to specify the context directory to use when building the Containerfile. * The podman container commit command now supports a new option, --squash, which squashes the generated image into a single layer. * The podman pod logs command now supports two new options, --names, which identifies which container generated a log message by name, instead of ID and --color, which colors messages based on what container generated them. * The podman rmi command now supports a new option, --ignore, which will ignore errors caused by missing images. * The podman network create command now features a new option, --ipam-driver, to specify details about how IP addresses are assigned to containers in the network. * The podman machine list command now features a new option, --quiet, to print only the names of configured VMs and no other information. * The --ipc option to the podman create, podman run, and podman pod create commands now supports three new modes: none, private, and shareable. The default IPC mode is now shareable, indicating the the IPC namespace can be shared with other containers. * The --mount option to the podman create and podman run commands can now set options for created named volumes via the volume-opt parameter. * The --mount option to the podman create and podman run commands now allows parameters to be passed in CSV format. * The --userns option to the podman create and podman run commands now supports a new option, nomap, that (only for rootless containers) does not map the UID of the user that started the container into the container, increasing security. * The podman import command now supports three new options, --arch, --os, and --variant, to specify what system the imported image was built for. * The podman inspect command now includes information on the network configuration of containers that joined a pre-configured network namespace with the --net ns: option to podman run, podman create, and podman pod create. * The podman run and podman create commands now support a new option, --chrootdirs, which specifies additional locations where container-specific files managed by Podman (e.g. /etc/hosts, `/etc/resolv.conf, etc) will be mounted inside the container (#12961). * The podman run and podman create commands now support a new option, --passwd-entry, allowing entries to be added to the container's /etc/passwd file. * The podman images --format command now accepts two new format directives: {{.CreatedAt}} and {{.CreatedSince}}. * The podman volume create command's -o option now accepts a new argument, o=noquota, to disable XFS quotas entirely and avoid potential issues when Podman is run on an XFS filesystem with existing quotas defined. * The podman info command now includes additional information on the machine Podman is running on, including disk utilization on the drive Podman is storing containers and images on, and CPU utilization. * Fix CVE-2022-27191 / bsc#1197284 - Require catatonit >= 0.1.7 for pause functionality needed by pods Update to version 4.0.3: * Security - This release fixes CVE-2022-27649, where containers run by Podman would have excess inheritable capabilities set. * Changes - The podman machine rm --force command will now remove running machines as well (such machines are shut down first, then removed) (#13448). - When a podman machine VM is started that is using a too-old VM image, it will now start in a reduced functionality mode, and provide instructions on how to recreate it (previously, VMs were effectively unusable) (#13510). - Updated the containers/common library to v0.47.5 - This release addresses CVE-2021-4024 / bsc#1193166, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777. - This release addresses CVE-2021-41190 / bsc#1193273, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients. Update to version 3.1.0: (bsc#1181961, CVE-2021-20206) - A fix for CVE-2021-20199 / bsc#1181640 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. podman-4.3.1-150400.4.11.1.src.rpm podman-4.3.1-150400.4.11.1.x86_64.rpm podman-cni-config-4.3.1-150400.4.11.1.noarch.rpm podman-docker-4.3.1-150400.4.11.1.noarch.rpm podman-remote-4.3.1-150400.4.11.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4463 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd fixes the following issues: Update to containerd v1.6.12 including Docker v20.10.21-ce (bsc#1206065). Also includes the following fix: - CVE-2022-23471: host memory exhaustion through Terminal resize goroutine leak (bsc#1206235). - CVE-2022-27191: crash in a golang.org/x/crypto/ssh server (bsc#1197284). containerd-1.6.12-150000.79.1.src.rpm containerd-1.6.12-150000.79.1.x86_64.rpm containerd-ctr-1.6.12-150000.79.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1913 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for libslirp and slirp4netns fixes the following issues: libslirp was updated to version 4.7.0+44 (current git master): * Fix vmstate regression * Align outgoing packets * Bump incoming packet alignment to 8 bytes * vmstate: only enable when building under GNU C * ncsitest: Fix build with msvc * Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END * ncsi: Add Mellanox Get Mac Address handler * slirp: Add out-of-band ethernet address * ncsi: Add OEM command handler * ncsi: Add basic test for Get Version ID response * ncsi: Use response header for payload length * ncsi: Pass command header to response handlers * ncsi: Add Get Version ID command * ncsi: Pass Slirp structure to response handlers * slirp: Add manufacturer's ID Release v4.7.0 * slirp: invoke client callback before creating timers * pingtest: port to timer_new_opaque * introduce timer_new_opaque callback * introduce slirp_timer_new wrapper * icmp6: make ndp_send_ra static * socket: Handle ECONNABORTED from recv * bootp: fix g_str_has_prefix warning/critical * slirp: Don't duplicate packet in tcp_reass * Rename insque/remque -> slirp_[ins|rem]que * mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG * Replace inet_ntoa() with safer inet_ntop() * Add VMS_END marker * bootp: add support for UEFI HTTP boot * IPv6 DNS proxying support * Add missing scope_id in caching * socket: Move closesocket(so->s_aux) to sofree * socket: Check so_type instead of so_tcpcb for Unix-to-inet translation * socket: Add s_aux field to struct socket for storing auxilliary socket * socket: Initialize so_type in socreate * socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0 * Allow to disable internal DHCP server * slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two * CI: run integration tests with slirp4netns * socket: Check address family for Unix-to-inet accept translation * socket: Add debug args for tcpx_listen (inet and Unix sockets) * socket: Restore original definition of fhost * socket: Move <sys/un.h> include to socket.h * Support Unix sockets in hostfwd * resolv: fix IPv6 resolution on Darwin * Use the exact sockaddr size in getnameinfo call * Initialize sin6_scope_id to zero * slirp_socketpair_with_oob: Connect pair through 127.0.0.1 * resolv: fix memory leak when using libresolv * pingtest: Add a trivial ping test * icmp: Support falling back on trying a SOCK_RAW socket Update to version 4.6.1+7: * Haiku: proper path to resolv.conf for DNS server * Fix for Haiku * dhcp: Always send DHCP_OPT_LEN bytes in options Update to version 4.6.1: * Fix "DHCP broken in libslirp v4.6.0" Update to version 4.6.0: * udp: check upd_input buffer size * tftp: introduce a header structure * tftp: check tftp_input buffer size * upd6: check udp6_input buffer size * bootp: check bootp_input buffer size * bootp: limit vendor-specific area to input packet memory buffer Update to version 4.4.0: * socket: consume empty packets * slirp: check pkt_len before reading protocol header * Add DNS resolving for iOS * sosendoob: better document what urgc is used for * TCPIPHDR_DELTA: Fix potential negative value * udp, udp6, icmp, icmp6: Enable forwarding errors on Linux * icmp, icmp6: Add icmp_forward_error and icmp6_forward_error * udp, udp6, icmp: handle TTL value * ip_stripoptions use memmove slirp4netns was updated to 1.2.0: * Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281) * Explicitly support DHCP (#270) * Update parson to v1.1.3 (#273) kgabis/parson@70dc239...2d7b3dd Update to version 1.1.11: * Add --macaddress option to specify the MAC address of the tap interface. * Updated the man page. Update to version 1.1.8: Update to 1.0.0: * --enable-sandbox is now out of experimental slirp4netns-1.2.0-150300.8.5.2.src.rpm slirp4netns-1.2.0-150300.8.5.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4618 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for catatonit fixes the following issues: Update to catatonit v0.1.7: - This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). Update to catatonit v0.1.6: - which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). catatonit-0.1.7-150300.10.3.1.src.rpm catatonit-0.1.7-150300.10.3.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4606 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: Update to version 3.10.3: - CVE-2022-23524: Fixed a denial of service in the string value parsing (bsc#1206467). - CVE-2022-23525: Fixed a denial of service with the repository index file (bsc#1206469). - CVE-2022-23526: Fixed a denial of service in the schema file handling (bsc#1206471). helm-3.10.3-150000.1.13.1.src.rpm helm-3.10.3-150000.1.13.1.x86_64.rpm helm-bash-completion-3.10.3-150000.1.13.1.noarch.rpm helm-zsh-completion-3.10.3-150000.1.13.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2022-4635 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for conmon fixes the following issues: conmon was updated to version 2.1.5: * don't leak syslog_identifier * logging: do not read more that the buf size * logging: fix error handling * Makefile: Fix install for FreeBSD * signal: Track changes to get_signal_descriptor in the FreeBSD version * Packit: initial enablement Update to version 2.1.4: * Fix a bug where conmon crashed when it got a SIGCHLD update to 2.1.3: * Stop using g_unix_signal_add() to avoid threads * Rename CLI optionlog-size-global-max to log-global-size-max Update to version 2.1.2: * add log-global-size-max option to limit the total output conmon processes (CVE-2022-1708 bsc#1200285) * journald: print tag and name if both are specified * drop some logs to debug level Update to version 2.1.0 * logging: buffer partial messages to journald * exit: close all fds >= 3 * fix: cgroup: Free memory_cgroup_file_path if open fails. Update to version 2.0.32 * Fix: Avoid mainfd_std{in,out} sharing the same file descriptor. * exit_command: Fix: unset subreaper attribute before running exit command Update to version 2.0.31 * logging: new mode -l passthrough * ctr_logs: use container name or ID as SYSLOG_IDENTIFIER for journald * conmon: Fix: free userdata files before exec cleanup conmon-2.1.5-150400.3.3.1.src.rpm conmon-2.1.5-150400.3.3.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1571 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: Update to version 3.11.1 (bsc#1208084): - CVE-2023-25165: Fixed a information disclosure problem via getHostByName injection inside a chart to get values to a malicious DNS server. helm-3.11.1-150000.1.16.1.src.rpm helm-3.11.1-150000.1.16.1.x86_64.rpm helm-bash-completion-3.11.1-150000.1.16.1.noarch.rpm helm-zsh-completion-3.11.1-150000.1.16.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-795 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for docker fixes the following issues: Docker was updated to 20.10.23-ce. See upstream changelog at https://docs.docker.com/engine/release-notes/#201023 Docker was updated to 20.10.21-ce (bsc#1206065) See upstream changelog at https://docs.docker.com/engine/release-notes/#201021 Security issues fixed: - CVE-2022-36109: Fixed supplementary group permissions bypass (bsc#1205375) - Fix wrong After: in docker.service, fixes bsc#1188447 - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux. - Allow to install container-selinux instead of apparmor-parser. - Change to using systemd-sysusers Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? docker-20.10.23_ce-150000.175.1.src.rpm docker-20.10.23_ce-150000.175.1.x86_64.rpm docker-bash-completion-20.10.23_ce-150000.175.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1564 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: - Fix SEV device exposure - Cleanup node labels properly - Install ncat and curl (required for network tests) - Symlink virtiofsd to /usr/libexec/virtiofsd - Install only libvirt-daemon-driver-qemu and do not pull unneeded deps - Do not install libguestfs-devel kubevirt-0.54.0-150400.3.10.4.src.rpm kubevirt-manifests-0.54.0-150400.3.10.4.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.10.4.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1565 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer fixes the following issues: - Build tools/cdi-containerimage-server with CGO_ENABLED=0 containerized-data-importer-1.51.0-150400.4.10.4.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.10.4.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1628 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd fixes the following issues: - CVE-2022-23471: Fixed host memory exhaustion through Terminal resize goroutine leak (bsc#1206235). - Re-build containerd to use updated golang-packaging (jsc#1342). - Update to containerd v1.6.16 for Docker v23.0.0-ce. * https://github.com/containerd/containerd/releases/tag/v1.6.16 containerd-1.6.16-150000.82.2.src.rpm containerd-1.6.16-150000.82.2.x86_64.rpm containerd-ctr-1.6.16-150000.82.2.x86_64.rpm containerd-devel-1.6.16-150000.82.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-871 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issue: - container-suseconnect was rebuilt against the current go1.19 release, fixing security issues and other bugs fixed in go1.19.7. - CVE-2022-41723: Fixed quadratic complexity in HPACK decoding (bsc#1208270). - CVE-2022-41724: Fixed panic with arge handshake records in crypto/tls (bsc#1208271). - CVE-2022-41725: Fixed denial of service from excessive resource consumption in net/http and mime/multipart (bsc#1208272). - CVE-2023-24532: Fixed incorrect P-256 ScalarMult and ScalarBaseMult results (bsc#1209030). - CVE-2022-41720: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows (bsc#1206134). container-suseconnect-2.4.0-150000.4.24.1.src.rpm container-suseconnect-2.4.0-150000.4.24.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1796 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for conmon fixes the following issues: - rebuild against supported go 1.19 (bsc#1209307) - no functional changes. conmon-2.1.5-150400.3.6.1.src.rpm conmon-2.1.5-150400.3.6.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1814 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for podman fixes the following issues: Update to version 4.4.4: * libpod: always use direct mapping * macos pkginstaller: do not fail when podman-mac-helper fails * podman-mac-helper: install: do not error if already installed - podman.spec: Bump required version for libcontainers-common (bsc#1209495) Update to version 4.4.3: * compat: /auth: parse server address correctly * vendor github.com/containers/common@v0.51.1 * pkginstaller: bump Qemu to version 7.2.0 * podman machine: Adjust Chrony makestep config * [v4.4] fix --health-on-failure=restart in transient unit * podman logs passthrough driver support --cgroups=split * journald logs: simplify entry parsing * podman logs: read journald with passthrough * journald: remove initializeJournal() * netavark: only use aardvark ip as nameserver * compat API: network create return 409 for duplicate * fix "podman logs --since --follow" flake * system service --log-level=trace: support hijack * podman-mac-helper: exit 1 on error * bump golang.org/x/net to v0.8.0 * Fix package restore * Quadlet - use the default runtime Update to version 4.4.2: * Revert "CI: Temporarily disable all AWS EC2-based tasks" * kube play: only enforce passthrough in Quadlet * Emergency fix for man pages: check for broken includes * CI: Temporarily disable all AWS EC2-based tasks * quadlet system tests: add useful defaults, logging * volume,container: chroot to source before exporting content * install sigproxy before start/attach * Update to c/image 5.24.1 * events + container inspect test: RHEL fixes - podman.spec: add `crun` requirement for quadlet - podman.spec: set PREFIX at build stage (bsc#1208510) - CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364) Update to version 4.4.1: * kube play: do not teardown unconditionally on error * Resolve symlink path for qemu directory if possible * events: document journald identifiers * Quadlet: exit 0 when there are no files to process * Cleanup podman-systemd.unit file * Install podman-systemd.unit man page, make quadlet discoverable * Add missing return after errors * oci: bind mount /sys with --userns=(auto|pod:) * docs: specify order preference for FROM * Cirrus: Fix & remove GraphQL API tests * test: adapt test to work on cgroupv1 * make hack/markdown-preprocess parallel-safe * Fix default handling of pids-limit * system tests: fix volume exec/noexec test Update to version 4.4.0: * Emergency fix for RHEL8 gating tests * Do not mount /dev/tty into rootless containers * Fixes port collision issue on use of --publish-all * Fix usage of absolute windows paths with --image-path * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux * podman-events: document verbose create events * Making gvproxy.exe optional for building Windows installer * Add gvproxy to Windows packages * Match VT device paths to be blocked from mounting exactly * Clean up more language for inclusiveness * Set runAsNonRoot=true in gen kube * quadlet: Add device support for .volume files * fix: running check error when podman is default in wsl * fix: don't output "ago" when container is currently up and running * journald: podman logs only show logs for current user * journald: podman events only show events for current user * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml) * DB: make loading container states optional * ps: do not sync container * Allow --device-cgroup-rule to be passed in by docker API * Create release notes for v4.4.0 * Cirrus: Update operating branch * fix APIv2 python attach test flake * ps: query health check in batch mode * make example volume import, not import volume * Correct output when inspecting containers created with --ipc * Vendor containers/(storage, image, common, buildah) * Get correct username in pod when using --userns=keep-id * ps: get network data in batch mode * build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0 * add hack/perf for comparing two container engines * systems: retrofit dns options test to honor other search domains * ps: do not create copy of container config * libpod: set search domain independently of nameservers * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server * podman: relay custom DNS servers to network stack * (fix) mount_program is in storage.options.overlay * Change example target to default in doc * network create: do not allow `default` as name * kube-play: add support for HostPID in podSpec * build(deps): bump github.com/docker/docker * Let's see if #14653 is fixed or not * Add support for podman build --group-add * vendor in latests containers/(storage, common, build, image) * unskip network update test * do not install swagger by default * pasta: skip "Local forwarder, IPv4" test * add testbindings Makefile target * update CI images to include pasta * [CI:DOCS] Add CNI deprecation notices to documentation * Cirrus: preserve podman-server logs * waitPidStop: reduce sleep time to 10ms * StopContainer: return if cleanup process changed state * StopSignal: add a comment * StopContainer: small refactor * waitPidStop: simplify code * e2e tests: reenable long-skipped build test * Add openssh-clients to podmanimage * Reworks Windows smoke test to tunnel through interactive session. * fix bud-multiple-platform-with-base-as-default-arg flake * Remove ReservedAnnotations from kube generate specification * e2e: update test/README.md * e2e: use isRootless() instead of rootless.IsRootless() * Cleanup documentation on --userns=auto * Vendor in latest c/common * sig-proxy system test: bump timeout * build(deps): bump github.com/containernetworking/plugins * rootless: rename auth-scripts to preexec-hooks * Docs: version-check updates * commit: use libimage code to parse changes * [CI:DOCS] Remove experimental mac tutorial * man: Document the interaction between --systemd and --privileged * Make rootless privileged containers share the same tty devices as rootfull ones * container kill: handle stopped/exited container * Vendor in latest containers/(image,ocicrypt) * add a comment to container removal * Vendor in latest containers/storage * Cirrus: Run machine tests on PR merge * fix flake in kube system test * kube play: complete container spec * E2E Tests: Use inspect instead of actual data to avoid UDP flake * Use containers/storage/pkg/regexp in place of regexp * Vendor in latest containers/storage * Cirrus: Support using updated/latest NV/AV in PRs * Limit replica count to 1 when deploying from kubernetes YAML * Set StoppedByUser earlier in the process of stopping * podman-play system test: refactor * network: add support for podman network update and --network-dns-server * service container: less verbose error logs * Quadlet Kube - add support for PublishPort key * e2e: fix systemd_activate_test * Compile regex on demand not in init * [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns. * E2E Test: Play Kube set deadline to connection to avoid hangs * Only prevent VTs to be mounted inside privileged systemd containers * e2e: fix play_kube_test * Updated error message for supported VolumeSource types * Introduce pkg retry logic in win installer task * logformatter: include base SHA, with history link * Network tests: ping redhat.com, not podman.io * cobra: move engine shutdown to Execute * Updated options for QEMU on Windows hosts * Update Mac installer to use gvproxy v0.5.0 * podman: podman rm -f doesn't leave processes * oci: check for valid PID before kill(pid, 0) * linux: add /sys/fs/cgroup if /sys is a bind mount * Quadlet: Add support for ConfigMap key in Kube section * remove service container _after_ pods * Kube Play - allow setting and overriding published host ports * oci: terminate all container processes on cleanup * Update win-sshproxy to 0.5.0 gvisor tag * Vendor in latest containers/common * Fix a potential defer logic error around locking * logformatter: nicer formatting for bats failures * logformatter: refactor verbose line-print * e2e tests: stop using UBI images * k8s-file: podman logs --until --follow exit after time * journald: podman logs --until --follow exit after time * journald: seek to time when --since is used * podman logs: journald fix --since and --follow * Preprocess files in UTF-8 mode * Vendor in latest containers/(common, image, storage) * Switch to C based msi hooks for win installer * hack/bats: improve usage message * hack/bats: add --remote option * hack/bats: fix root/rootless logic * Describe copy volume options * Support sig-proxy for podman-remote attach and start * libpod: fix race condition rm'ing stopping containers * e2e: fix run_volume_test * Add support for Windows ARM64 * Add shared --compress to man pages * Add container error message to ContainerState * Man page checker: require canonical name in SEE ALSO * system df: improve json output code * kube play: fix the error logic with --quiet * System tests: quadlet network test * Fix: List container with volume filter * adding -dryrun flag * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost * Kube Play: use passthrough as the default log-driver if service-container is set * System tests: add missing cleanup * System tests: fix unquoted question marks * Build and use a newer systemd image * Quadlet Network - Fix the name of the required network service * System Test Quadlet - Volume dependency test did not test the dependency * fix `podman system connection - tcp` flake * vendor: bump c/storage to a747b27 * Fix instructions about setting storage driver on command-line * Test README - point users to hack/bats * System test: quadlet kube basic test * Fixed `podman update --pids-limit` * podman-remote,bindings: trim context path correctly when its emptydir * Quadlet Doc: Add section for .kube files * e2e: fix containers_conf_test * Allow '/' to prefix container names to match Docker * Remove references to qcow2 * Fix typos in man page regarding transient storage mode. * make: Use PYTHON var for .install.pre-commit * Add containers.conf read-only flag support * Explain that relabeling/chowning of volumes can take along time * events: support "die" filter * infra/abi: refactor ContainerRm * When in transient store mode, use rundir for bundlepath * quadlet: Support Type=oneshot container files * hacks/bats: keep QUADLET env var in test env * New system tests for conflicting options * Vendor in latest containers/(buildah, image, common) * Output Size and Reclaimable in human form for json output * podman service: close duplicated /dev/null fd * ginkgo tests: apply ginkgolinter fixes * Add support for hostPath and configMap subpath usage * export: use io.Writer instead of file * rootless: always create userns with euid != 0 * rootless: inhibit copy mapping for euid != 0 * pkg/domain/infra/abi: introduce `type containerWrapper` * vendor: bump to buildah ca578b290144 and use new cache API * quadlet: Handle booleans that have defaults better * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault * Add podman-clean-transient.service service * Stop recording annotations set to false * Unify --noheading and -n to be consistent on all commands * pkg/domain/infra/abi: add `getContainers` * Update vendor of containters/(common, image) * specfile: Drop user-add depedency from quadlet subpackage. * quadlet: Default BINDIR to /usr/bin if tag not specified * Quadlet: add network support * Add comment for jsonMarshal command * Always allow pushing from containers-storage * libpod: move NetNS into state db instead of extra bucket * Add initial system tests for quadlets * quadlet: Add --user option * libpod: remove CNI word were no longer applicable * libpod: fix header length in http attach with logs * podman-kube@ template: use `podman kube` * build(deps): bump github.com/docker/docker * wait: add --ignore option * qudlet: Respect $PODMAN env var for podman binary * e2e: Add assert-key-is-regex check to quadlet e2e testsuite * e2e: Add some assert to quadlet test to make sure testcases are sane * remove unmapped ports from inspect port bindings * update podman-network-create for clarity * Vendor in latest containers/common with default capabilities * pkg/rootless: Change error text ... * rootless: add cli validator * rootless: define LIBEXECPODMAN * doc: fix documentation for idmapped mounts * bump golangci-lint to v1.50.1 * build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 * [CI:DOCS] podman-mount: s/umount/unmount/ * create/pull --help: list pull policies * Network Create: Add --ignore flag to support idempotent script * Make qemu security model none * libpod: use OCI idmappings for mounts * stop reporting errors removing containers that don't exist * test: added test from wait endpoint with to long label * quadlet: Default VolatileTmp to off * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11 * docs/options/ipc: fix list syntax * Docs: Add dedicated DOWNLOAD doc w/ links to bins * Make a consistently-named windows installer * checkpoint restore: fix --ignore-static-ip/mac * add support for subpath in play kube for named volumes * build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 * golangci-lint: remove three deprecated linters * parse-localbenchmarks: separate standard deviation * build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0 * podman play kube support container startup probe * Add podman buildx version support * Cirrus: Collect benchmarks on machine instances * Cirrus: Remove escape codes from log files * [CI:DOCS] Clarify secret target behavior * Fix typo on network docs * podman-remote build add --volume support * remote: allow --http-proxy for remote clients * Cleanup kube play workloads if error happens * health check: ignore dependencies of transient systemd units/timers * fix: event read from syslog * Fixes secret (un)marshaling for kube play. * Remove 'you' from man pages * build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools * [CI:DOCS] test/README.md: run tests with podman-remote * e2e: keeps the http_proxy value * Makefile: Add podman-mac-helper to darwin client zip * test/e2e: enable "podman run with ipam none driver" for nv * [skip-ci] GHA/Cirrus-cron: Fix execution order * kube sdnotify: run proxies for the lifespan of the service * Update containers common package * podman manpage: Use man-page links instead of file names * e2e: fix e2e tests in proxy environment * Fix test * disable healthchecks automatically on non systemd systems * Quadlet Kube: Add support for userns flag * [CI:DOCS] Add warning about --opts,o with mount's -o * Add podman system prune --external * Add some tests for transient store * runtime: In transient_store mode, move bolt_state.db to rundir * runtime: Handle the transient store options * libpod: Move the creation of TmpDir to an earlier time * network create: support "-o parent=XXX" for ipvlan * compat API: allow MacAddress on container config * Quadlet Kube: Add support for relative path for YAML file * notify k8s system test: move sending message into exec * runtime: do not chown idmapped volumes * quadlet: Drop ExecStartPre=rm %t/%N.cid * Quadlet Kube: Set SyslogIdentifier if was not set * Add a FreeBSD cross build to the cirrus alt build task * Add completion for --init-ctr * Fix handling of readonly containers when defined in kube.yaml * Build cross-compilation fixes * libpod: Track healthcheck API changes in healthcheck_unsupported.go * quadlet: Use same default capability set as podman run * quadlet: Drop --pull=never * quadlet: Change default of ReadOnly to no * quadlet: Change RunInit default to no * quadlet: Change NoNewPrivileges default to false * test: podman run with checkpoint image * Enable 'podman run' for checkpoint images * test: Add tests for checkpoint images * CI setup: simplify environment passthrough code * Init containers should not be restarted * Update c/storage after https://github.com/containers/storage/pull/1436 * Set the latest release explicitly * add friendly comment * fix an overriding logic and load config problem * Update the issue templates * Update vendor of containers/(image, buildah) * [CI:DOCS] Skip windows-smoke when not useful * [CI:DOCS] Remove broken gate-container docs * OWNERS: add Jason T. Greene * hack/podmansnoop: print arguments * Improve atomicity of VM state persistence on Windows * [CI:BUILD] copr: enable podman-restart.service on rpm installation * macos: pkg: Use -arm64 suffix instead of -aarch64 * linux: Add -linux suffix to podman-remote-static binaries * linux: Build amd64 and arm64 podman-remote-static binaries * container create: add inspect data to event * Allow manual override of install location * Run codespell on code * Add missing parameters for checkpoint/restore endpoint * Add support for startup healthchecks * Add information on metrics to the `network create` docs * Introduce podman machine os commands * Document that ignoreRootFS depends on export/import * Document ignoreVolumes in checkpoint/restore endpoint * Remove leaveRunning from swagger restore endpoint * libpod: Add checks to avoid nil pointer dereference if network setup fails * Address golangci-lint issues * Documenting Hyper-V QEMU acceleration settings * Kube Play: fix the handling of the optional field of SecretVolumeSource * Update Vendor of containers/(common, image, buildah) * Fix swapped NetInput/-Output stats * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template * test/tools: rebuild when files are changed * ginkgo tests: apply ginkgolinter fixes * ginkgo: restructure install work flow * Fix manpage emphasis * specgen: support CDI devices from containers.conf * vendor: update containers/common * pkg/trust: Take the default policy path from c/common/pkg/config * Add validate-in-container target * Adding encryption decryption feature * container restart: clean up healthcheck state * Add support for podman-remote manifest annotate * Quadlet: Add support for .kube files * Update vendor of containers/(buildah, common, storage, image) * specgen: honor user namespace value * [CI:DOCS] Migrate OSX Cross to M1 * quadlet: Rework uid/gid remapping * GHA: Fix cirrus re-run workflow for other repos. * ssh system test: skip until it becomes a test * shell completion: fix hard coded network drivers * libpod: Report network setup errors properly on FreeBSD * E2E Tests: change the registry for the search test to avoid authentication * pkginstaller: install podman-mac-helper by default * Fix language. Mostly spelling a -> an * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment. * [CI:DOCS] Fix spelling and typos * Modify man page of "--pids-limit" option to correct a default value. * Update docs/source/markdown/podman-remote.1.md * Update pkg/bindings/connection.go * Add more documentation on UID/GID Mappings with --userns=keep-id * support podman-remote to connect tcpURL with proxy * Removing the RawInput from the API output * fix port issues for CONTAINER_HOST * CI: Package versions: run in the 'main' step * build(deps): bump github.com/rootless-containers/rootlesskit * pkg/domain: Make checkExecPreserveFDs platform-specific * e2e tests: fix restart race * Fix podman --noout to suppress all output * remove pod if creation has failed * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD * Fix more podman-logs flakes * healthcheck system tests: try to fix flake * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT * GHA: Configure workflows for reuse * compat,build: handle docker's preconfigured cacheTo,cacheFrom * docs: deprecate pasta network name * utils: Enable cgroup utils for FreeBSD * pkg/specgen: Disable kube play tests on FreeBSD * libpod/lock: Fix build and tests for SHM locks on FreeBSD * podman cp: fix copying with "." suffix * pkginstaller: bump Qemu to version 7.1.0 * specgen,wasm: switch to crun-wasm wherever applicable * vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1 * libpod: Make unit test for statToPercent Linux only * Update vendor of containers/storage * fix connection usage with containers.conf * Add --quiet and --no-info flags to podman machine start * Add hidden podman manifest inspect -v option * Add podman volume create -d short option for driver * Vendor in latest containers/(common,image,storage) * Add podman system events alias to podman events * Fix search_test to return correct version of alpine * GHA: Fix undefined secret env. var. * Release notes for 4.3.1 * GHA: Fix make_email-body script reference * Add release keys to README * GHA: Fix typo setting output parameter * GHA: Fix typo. * New tool, docs/version-check * Formalize our compare-against-docker mechanism * Add restart-sec for container service files * test/tools: bump module to go 1.17 * contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor * build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools * libpod: Add FreeBSD support in packageVersion * Allow podman manigest push --purge|-p as alias for --rm * [CI:DOCS] Add performance tutorial * [CI:DOCS] Fix build targets in build_osx.md. * fix --format {{json .}} output to match docker * remote: fix manifest add --annotation * Skip test if `--events-backend` is necessary with podman-remote * kube play: update the handling of PersistentVolumeClaim * system tests: fix a system test in proxy environment * Use single unqualified search registry on Windows * test/system: Add, use tcp_port_probe() to check for listeners rather than binds * test/system: Add tests for pasta(1) connectivity * test/system: Move network-related helpers to helpers.network.bash * test/system: Use procfs to find bound ports, with optional address and protocol * test/system: Use port_is_free() from wait_for_port() * libpod: Add pasta networking mode * More log-flake work * Fix test flakes caused by improper podman-logs * fix incorrect systemd booted check * Cirrus: Add tests for GHA scripts * GHA: Update scripts to pass shellcheck * Cirrus: Shellcheck github-action scripts * Cirrus: shellcheck support for github-action scripts * GHA: Fix cirrus-cron scripts * Makefile: don't install to tmpfiles.d on FreeBSD * Make sure we can build and read each line of docker py's api client * Docker compat build api - make sure only one line appears per flush * Run codespell on code * Update vendor of containers/(image, storage, common) * Allow namespace path network option for pods. * Cirrus: Never skip running Windows Cross task * GHA: Auto. re-run failed cirrus-cron builds once * GHA: Migrate inline script to file * GHA: Simplify script reference * test/e2e: do not use apk in builds * remove container/pod id file along with container/pod * Cirrus: Synchronize windows image * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect * runtime: add check for valid pod systemd cgroup * CI: set and verify DESIRED_NETWORK (netavark, cni) * [CI:DOCS] troubleshooting: document keep-id options * Man pages: refactor common options: --security-opt * Cirrus: Guarantee CNI testing w/o nv/av present * Cirrus: temp. disable all Ubuntu testing * Cirrus: Update to F37beta * buildah bud tests: better handling of remote * quadlet: Warn in generator if using short names * Add Windows Smoke Testing * Add podman kube apply command * docs: offer advice on installing test dependencies * Fix documentation on read-only-tmpfs * version bump to 4.4.0-dev * deps: bump go-criu to v6 * Makefile: Add cross build targets for freebsd * pkg/machine: Make this build on FreeBSD/arm64 * pkg/rctl: Remove unused cgo dependency * man pages: assorted underscore fixes * Upgrade GitHub actions packages from v2 to v3 * vendor github.com/godbus/dbus/v5@4b691ce * [CI:DOCS] fix --tmpdir typos * Do not report that /usr/share/containers/storage.conf has been edited. * Eval symlinks on XDG_RUNTIME_DIR * hack/podmansnoop * rootless: support keep-id with one mapping * rootless: add argument to GetConfiguredMappings * Update vendor containers/(common,storage,buildah,image) * Fix deadlock between 'podman ps' and 'container inspect' commands * Add information about where the libpod/boltdb database lives * Consolidate the dependencies for the IsTerminal() API * Ensure that StartAndAttach locks while sending signals * ginkgo testing: fix podman usernamespace join * Test runners: nuke podman from $PATH before tests * volumes: Fix idmap not working for volumes * FIXME: Temporary workaround for ubi8 CI breakage * System tests: teardown: clean up volumes * update api versions on docs.podman.io * system tests: runlabel: use podman-under-test * system tests: podman network create: use random port * sig-proxy test: bump timeout * play kube: Allow the user to import the contents of a tar file into a volume * Clarify the docs on DropCapability * quadlet tests: Disable kmsg logging while testing * quadlet: Support multiple Network= * quadlet: Add support for Network=... * Fix manpage for podman run --network option * quadlet: Add support for AddDevice= * quadlet: Add support for setting seccomp profile * quadlet: Allow multiple elements on each Add/DropCaps line * quadlet: Embed the correct binary name in the generated comment * quadlet: Drop the SocketActivated key * quadlet: Switch log-driver to passthrough * quadlet: Change ReadOnly to default to enabled * quadlet tests: Run the tests even for (exected) failed tests * quadlet tests: Fix handling of stderr checks * Remove unused script file * notifyproxy: fix container watcher * container/pod id file: truncate instead of throwing an error * quadlet: Use the new podman create volume --ignore * Add podman volume create --ignore * logcollector: include aardvark-dns * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 * build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 * docs: generate systemd: point to kube template * docs: kube play: mention restart policy * Fixes: 15858 (podman system reset --force destroy machine) * fix search flake * use cached containers.conf * adding regex support to the ancestor ps filter function * Fix `system df` issues with `-f` and `-v` * markdown-preprocess: cross-reference where opts are used * Default qemu flags for Windows amd64 * build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0 * Update main to reflect v4.3.0 release * build(deps): bump github.com/docker/docker * move quadlet packages into pkg/systemd * system df: fix image-size calculations * Add man page for quadlet * Fix small typo * testimage: add iproute2 & socat, for pasta networking * Set up minikube for k8s testing * Makefile: don't install systemd generator binaries on FreeBSD * [CI:BUILD] copr: podman rpm should depend on containers-common-extra * Podman image: Set default_sysctls to empty for rootless containers * Don't use github.com/docker/distribution * libpod: Add support for 'podman top' on FreeBSD * libpod: Factor out jail name construction from stats_freebsd.go * pkg/util: Add pid information descriptors for FreeBSD * Initial quadlet version integrated in golang * bump golangci-lint to v1.49.0 * Update vendor containers/(common,image,storage) * Allow volume mount dups, iff source and dest dirs * rootless: fix return value handling * Change to correct break statements * vendor containers/psgo@v1.8.0 * Clarify that MacOSX docs are client specific * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit * Add swagger install + allow version updates in CI * Cirrus: Fix windows clone race * build(deps): bump github.com/docker/docker * kill: wait for the container * generate systemd: set --stop-timeout for stopping containers * hack/tree_status.sh: print diff at the end * Fix markdown header typo * markdown-preprocess: add generic include mechanism * markdown-preprocess: almost complete OO rewrite * Update tests for changed error messages * Update c/image after https://github.com/containers/image/pull/1299 * Man pages: refactor common options (misc) * Man pages: Refactor common options: --detach-keys * vendor containers/storage@main * Man pages: refactor common options: --attach * build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 * KillContainer: improve error message * docs: add missing options * Man pages: refactor common options: --annotation (manifest) * build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0 * system tests: health-on-failure: fix broken logic * build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 * build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 * ContainerEngine.SetupRootless(): Avoid calling container.Config() * Container filters: Avoid use of ctr.Config() * Avoid unnecessary calls to Container.Spec() * Add and use Container.LinuxResource() helper * play kube: notifyproxy: listen before starting the pod * play kube: add support for configmap binaryData * Add and use libpod/Container.Terminal() helper * Revert "Add checkpoint image tests" * Revert "cmd/podman: add support for checkpoint images" * healthcheck: fix --on-failure=stop * Man pages: Add mention of behavior due to XDG_CONFIG_HOME * build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6 * Avoid unnecessary timeout of 250msec when waiting on container shutdown * health checks: make on-failure action retry aware * libpod: Remove 100msec delay during shutdown * libpod: Add support for 'podman pod' on FreeBSD * libpod: Factor out cgroup validation from (*Runtime).NewPod * libpod: Move runtime_pod_linux.go to runtime_pod_common.go * specgen/generate: Avoid a nil dereference in MakePod * libpod: Factor out cgroups handling from (*Pod).refresh * Adds a link to OSX docs in CONTRIBUTING.md * Man pages: refactor common options: --os-version * Create full path to a directory when DirectoryOrCreate is used with play kube * Return error in podman system service if URI scheme is not unix/tcp * Man pages: refactor common options: --time * man pages: document some --format options: images * Clean up when stopping pods * Update vendor of containers/buildah v1.28.0 * Proof of concept: nightly dependency treadmill - Make the priority for picking the storage driver configurable (bsc#1197093) podman-4.4.4-150400.4.16.1.src.rpm podman-4.4.4-150400.4.16.1.x86_64.rpm podman-cni-config-4.4.4-150400.4.16.1.noarch.rpm podman-docker-4.4.4-150400.4.16.1.noarch.rpm podman-remote-4.4.4-150400.4.16.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1866 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for buildah fixes the following issues: Update to version 1.29.1 (jsc#PED-1805): * Update to c/image 5.24.1 Update to version 1.29.0: * tests: improve build-with-network-test * Flake 3710 has been closed. Reenable the test. * [CI:DOCS] Fix two diversity issues in a tutorial * vendor in latests containers/(storage, common, image) * fix bud-multiple-platform-with-base-as-default-arg flake * stage_executor: while mounting stages use freshly built stage * vendor in latests containers/(storage, common, image, ocicyrpt) * [Itests: change the runtime-flag test for crun * [CI:DOCS] README: drop sudo * Fix multi-arch manifest-list build timeouts * Cirrus: Update VM Images * bud: Consolidate multiple synthetic LABEL instructions * build, secret: allow realtive mountpoints wrt to work dir * fixed squash documentation * Vendor in latest containers/(common, image, storage) * system tests: remove unhelpful assertions * buildah: add prune command and expose CleanCacheMount API * Add support for --group-add to buildah from * Add documentation for buildah build --pull=missing * parse: default ignorefile must not point to symlink outside context * buildah: wrap network setup errors * build, mount: allow realtive mountpoints wrt to work dir * Update to F37 CI VM Images, re-enable prior-fedora * Update vendor or containers/(image, storage, common) * Update contact information * Replace io/ioutil calls with os calls * [skip-ci] GHA/Cirrus-cron: Fix execution order * Vendor in containers/common * remote-cache: support multiple sources and destinations * Update c/storage after https://github.com/containers/storage/pull/1436 * util.SortMounts(): make the returned order more stable * version: Bump to 1.29.0-dev * [CI:BUILD] Cirrus: Migrate OSX task to M1 * Update vendor of containers/(common, storage, image) * mount=type=cache: seperate cache parent on host for each user * Fix installation instructions for Gentoo Linux * GHA: Reuse both cirrus rerun and check workflows * Vendor in latest containers/(common,image,storage) * copier.Put(): clear up os/syscall mode bit confusion * Use TypeBind consistently to name bind/nullfs mounts * Add no-new-privileges flag * Update vendor of containers/(common, image, storage) * imagebuildah:build with --all-platforms must honor args for base images * codespell code * Expand args and env when using --all-platforms * GHA: Simplify Cirrus-Cron check slightly * Stop using ubi8 * remove unnecessary (hence misleading) rmi * chroot: fix mounting of ro bind mounts * executor: honor default ARG value while eval base name * userns: add arbitrary steps/stage to --userns=auto test * Don't set allow.mount in the vnet jail on Freebsd * copier: Preserve file flags when copying archives on FreeBSD * Remove quiet flag, so that it works in podman-remote * test: fix preserve rootfs with --mount for podman-remote * test: fix prune logic for cache-from after adding content summary * vendor in latest containers/(storage, common, image) * Fix RUN --mount=type=bind,from=<stage> not preserving rootfs of stage * Define and use a safe, reliable test image * Fix word missing in Container Tools Guide * Makefile: Use $(MAKE) to start sub-makes in install.tools * imagebuildah: pull cache from remote repo after adding content summary * Makefile: Fix install on FreeBSD * Ensure the cache volume locks are unlocked on all paths * Vendor in latest containers/(common,storage) * Simplify the interface of GetCacheMount and getCacheMount * Fix cache locks with multiple mounts * Remove calls to Lockfile.Locked() * Maintain cache mount locks as lock objects instead of paths * test: cleaning cache must not clean lockfiles * run: honor lockfiles for multiple --mount instruction * mount,cache: lockfiles must not be part of users cache content * Update vendor containers/(common,image,storage) * [CI:BUILD] copr: buildah rpm should depend on containers-common-extra * pr-should-include-tests: allow specfile, golangci * sshagent: LockOSThread before setting SocketLabel * Update tests for error message changes * Update c/image after https://github.com/containers/image/pull/1299 * Fix ident for dependabot gha block * Fix man pages to match latest cobra settings * test: retrofit 'bud with undefined build arg directory' * imagebuildah: warnOnUnsetBuildArgs while processing stages from executor * Update contrib/buildahimage/Containerfile * Cirrus CI add flavor parameter * Correction - `FLAVOR` not `FLAVOUR` * Changed build argument from `RELEASE` to `FLAVOUR` * Combine buildahimage Containerfiles * bud.bats refactoring: $TEST_SCRATCH_DIR, part 2 of 2 * bud.bats refactoring: $TEST_SCRATCH_DIR, part 1 of 2 * System test cleanup: document, clarify, fix buildah-1.29.1-150400.3.14.1.src.rpm buildah-1.29.1-150400.3.14.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2003 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for runc fixes the following issues: Update to runc v1.1.5: Security fixes: - CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884). - CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962). - CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888). Other fixes: - Fix the inability to use `/dev/null` when inside a container. - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481). - Fix rare runc exec/enter unshare error on older kernels. - nsexec: Check for errors in `write_log()`. - Drop version-specific Go requirement. runc-1.1.5-150000.41.1.src.rpm runc-1.1.5-150000.41.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1827 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd fixes the following issues: Update to containerd v1.6.19: Security fixes: - CVE-2023-25153: Fixed OCI image importer memory exhaustion (bnc#1208423). - CVE-2023-25173: Fixed supplementary groups not set up properly (bnc#1208426). containerd-1.6.19-150000.87.1.src.rpm containerd-1.6.19-150000.87.1.x86_64.rpm containerd-ctr-1.6.19-150000.87.1.x86_64.rpm containerd-devel-1.6.19-150000.87.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1901 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: Update to version 3.11.2: * chore(deps): bump github.com/rubenv/sql-migrate from 1.2.0 to 1.3.1 * the linter varcheck and deadcode are deprecated (since v1.49.0) * fix template --output-dir issue * build against a supported go version: go1.19 (bsc#1209670) helm-3.11.2-150000.1.19.1.src.rpm helm-3.11.2-150000.1.19.1.x86_64.rpm helm-bash-completion-3.11.2-150000.1.19.1.noarch.rpm helm-zsh-completion-3.11.2-150000.1.19.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2075 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for aardvark-dns, netavark fixes the following issues: This update ships netavark and aardvark-dns for use by podman. (jsc#PED-1805) aardvark-dns-1.5.0-150400.9.4.1.src.rpm aardvark-dns-1.5.0-150400.9.4.1.x86_64.rpm netavark-1.5.0-150400.9.5.1.src.rpm netavark-1.5.0-150400.9.5.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1851 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for container-suseconnect fixes the following issue: - rebuilt against current go version. container-suseconnect-2.4.0-150000.4.26.1.src.rpm container-suseconnect-2.4.0-150000.4.26.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1967 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: - CVE-2023-26484: Limit operator secrets permission. (bsc#1209359) kubevirt is also rebuilt with a supported GO compiler (bsc#1208916) kubevirt-0.54.0-150400.3.13.1.src.rpm kubevirt-manifests-0.54.0-150400.3.13.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.13.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-1966 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer fixes the following issues: - build the containerized-data-importer with a supported golang compiler (bsc#1208916) containerized-data-importer-1.51.0-150400.4.13.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.13.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2154 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for distribution fixes the following issues: - CVE-2023-2253: Fixed possible DoS via a crafted malicious /v2/_catalog API endpoint request (bsc#1207705). distribution-2.8.1-150400.9.18.1.src.rpm distribution-registry-2.8.1-150400.9.18.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2254 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd fixes the following issues: - Rebuild containerd with a current version of go to catch up on bugfixes and security fixes (bsc#1210298) containerd-1.6.19-150000.90.3.src.rpm containerd-1.6.19-150000.90.3.x86_64.rpm containerd-ctr-1.6.19-150000.90.3.x86_64.rpm containerd-devel-1.6.19-150000.90.3.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2174 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). container-suseconnect-2.4.0-150000.4.28.1.src.rpm container-suseconnect-2.4.0-150000.4.28.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2325 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni fixes the following issues: - rebuild the package with the go 1.19 security release (bsc#1200441). cni-0.7.1-150100.3.10.1.src.rpm cni-0.7.1-150100.3.10.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2324 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.19 security release (bsc#1200441). cni-plugins-0.8.6-150100.3.13.1.src.rpm cni-plugins-0.8.6-150100.3.13.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2178 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of buildah fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). buildah-1.29.1-150400.3.16.1.src.rpm buildah-1.29.1-150400.3.16.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2157 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of conmon fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). conmon-2.1.5-150400.3.8.1.src.rpm conmon-2.1.5-150400.3.8.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2179 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of helm fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). helm-3.11.2-150000.1.21.1.src.rpm helm-3.11.2-150000.1.21.1.x86_64.rpm helm-bash-completion-3.11.2-150000.1.21.1.noarch.rpm helm-zsh-completion-3.11.2-150000.1.21.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2256 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of runc fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). runc-1.1.5-150000.43.1.src.rpm runc-1.1.5-150000.43.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2288 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of kubernetes1.18 fixes the following issues: - rebuild the package with the go 1.19 security release (bsc#1200441 bsc#1209658). kubernetes1.18-1.18.10-150200.5.7.1.src.rpm kubernetes1.18-client-1.18.10-150200.5.7.1.x86_64.rpm kubernetes1.18-client-common-1.18.10-150200.5.7.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2214 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: - Always render block devices in hp-volume- pod template - Detect ServiceMonitor and PrometheusRule CRDs - TSC frequencies: add 250PPM tolerance (bsc#1210906) - Follow the recommended semantics for the device plugin registration process (https://github.com/kubernetes/kubernetes/issues/112395) kubevirt-0.54.0-150400.3.16.1.src.rpm kubevirt-manifests-0.54.0-150400.3.16.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.16.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2298 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for distribution fixes the following issues: Update to verison 2.8.2: - Revert registry/client: set `Accept: identity` header when getting layers - Parse `http` forbidden as denied - Fix CVE-2023-2253 runaway allocation on /v2/_catalog (bsc#1207705) - Fix panic in inmemory driver - update to go1.19.9 - Add code to handle pagination of parts. Fixes max layer size of 10GB bug - Dockerfile: fix filenames of artifacts distribution-2.8.2-150400.9.21.1.src.rpm distribution-registry-2.8.2-150400.9.21.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2352 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.24 client fixes the following issues: This update provides the kubernetes client in version 1.24. (jsc#PED-4120) kubernetes1.24-1.24.13-150400.9.3.3.src.rpm kubernetes1.24-client-1.24.13-150400.9.3.3.x86_64.rpm kubernetes1.24-client-common-1.24.13-150400.9.3.3.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2292 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.23 fixes the following issues: - add kubernetes1.18-client-common as conflicts with kubernetes-client-bash-completion - Split individual completions into separate packages Update to version 1.23.17: * releng: Update images, dependencies and version to Go 1.19.6 * Update golang.org/x/net to v0.7.0 * Pin golang.org/x/net to v0.4.0 * add scale test for probes * use custom dialer for http probes * use custom dialer for tcp probes * add custom dialer optimized for probes * egress_selector: prevent goroutines leak on connect() step. * tls.Dial() validates hostname, no need to do that manually * Fix issue that Audit Server could not correctly encode DeleteOption * Do not include scheduler name in the preemption event message * Do not leak cross namespace pod metadata in preemption events * pkg/controller/job: re-honor exponential backoff * releng: Update images, dependencies and version to Go 1.19.5 * Bump Konnectivity to v0.0.35 * Improve vendor verification works for each staging repo * Update to go1.19 * Adjust for os/exec changes in 1.19 * Update golangci-lint to 1.46.2 and fix errors * Match go1.17 defaults for SHA-1 and GC * update golangci-lint to 1.45.0 * kubelet: make the image pull time more accurate in event * change k8s.gcr.io/pause to registry.k8s.io/pause * use etcd 3.5.6-0 after promotion * changelog: CVE-2022-3294 and CVE-2022-3162 were fixed in v1.23.14 * Add CVE-2021-25749 to CHANGELOG-1.23.md * Add CVE-2022-3294 to CHANGELOG-1.23.md * kubeadm: use registry.k8s.io instead of k8s.gcr.io * etcd: Updated to v3.5.5 * Bump konnectivity network proxy to v0.0.33. Includes a couple bug fixes for better handling of dial failures. [Agent & Server](https://github.com/kubernetes-sigs/apiserver-network-proxy/commits/v0.0.33) include numerous other fixes. * kubeadm: allow RSA and ECDSA format keys in preflight check * Fixes kubelet log compression on Windows * Reduce default gzip compression level from 4 to 1 in apiserver * exec auth: support TLS config caching * Marshal MicroTime to json and proto at the same precision * Windows: ensure runAsNonRoot does case-insensitive comparison on user name * update structured-merge-diff to 4.2.3 * Add rate limiting when calling STS assume role API * Fixing issue in generatePodSandboxWindowsConfig for hostProcess containers by where pod sandbox won't have HostProcess bit set if pod does not have a security context but containers specify HostProcess. kubernetes1.23-1.23.17-150300.7.6.1.src.rpm kubernetes1.23-client-1.23.17-150300.7.6.1.x86_64.rpm kubernetes1.23-client-common-1.23.17-150300.7.6.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2658 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd, docker, runc fixes the following issues: - Update to containerd v1.6.21 (bsc#1211578) - Update to Docker 23.0.6-ce (bsc#1211578) - Update to runc v1.1.7 - Require a minimum Go version explicitly (bsc#1210298) - Re-unify packaging for SLE-12 and SLE-15 - Fix build on SLE-12 by switching back to libbtrfs-devel headers - Allow man pages to be built without internet access in OBS - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux - Fix syntax of boolean dependency - Allow to install container-selinux instead of apparmor-parser - Change to using systemd-sysusers - Update runc.keyring to upstream version - Fix the inability to use `/dev/null` when inside a container (bsc#1207004) Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? containerd-1.6.21-150000.93.1.src.rpm containerd-1.6.21-150000.93.1.x86_64.rpm containerd-ctr-1.6.21-150000.93.1.x86_64.rpm containerd-devel-1.6.21-150000.93.1.x86_64.rpm docker-23.0.6_ce-150000.178.1.src.rpm docker-23.0.6_ce-150000.178.1.x86_64.rpm docker-bash-completion-23.0.6_ce-150000.178.1.noarch.rpm runc-1.1.7-150000.46.1.src.rpm runc-1.1.7-150000.46.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2541 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.18 fixes the following issues: - CVE-2023-2727: Fixed bypassing policies imposed by the ImagePolicyWebhook admission plugin (bsc#1211630). - CVE-2023-2728: Fixed bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin (bsc#1211631). kubernetes1.18-1.18.10-150200.5.10.1.src.rpm kubernetes1.18-client-1.18.10-150200.5.10.1.x86_64.rpm kubernetes1.18-client-common-1.18.10-150200.5.10.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2542 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.23 fixes the following issues: - CVE-2023-2727: Fixed bypassing policies imposed by the ImagePolicyWebhook admission plugin (bsc#1211630). - CVE-2023-2728: Fixed bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin (bsc#1211631). kubernetes1.23-1.23.17-150300.7.9.1.src.rpm kubernetes1.23-client-1.23.17-150300.7.9.1.x86_64.rpm kubernetes1.23-client-common-1.23.17-150300.7.9.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3092 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 python-kubernetes was updated to the latest version, (bsc#1151481, jsc#PED-2217 and jsc#PED-68) Version update to 26.1.0 See https://github.com/kubernetes-client/python/blob/master/CHANGELOG.md python-kubernetes-26.1.0-150400.10.3.1.src.rpm python3-kubernetes-26.1.0-150400.10.3.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2600 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). container-suseconnect-2.4.0-150000.4.30.1.src.rpm container-suseconnect-2.4.0-150000.4.30.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2868 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). cni-0.7.1-150100.3.12.1.src.rpm cni-0.7.1-150100.3.12.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2869 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). cni-plugins-0.8.6-150100.3.15.1.src.rpm cni-plugins-0.8.6-150100.3.15.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2773 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of kubernetes1.18 fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). kubernetes1.18-1.18.10-150200.5.12.1.src.rpm kubernetes1.18-client-1.18.10-150200.5.12.1.x86_64.rpm kubernetes1.18-client-common-1.18.10-150200.5.12.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2717 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of buildah fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). buildah-1.29.1-150400.3.18.1.src.rpm buildah-1.29.1-150400.3.18.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2654 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of kubernetes1.24 fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). kubernetes1.24-1.24.13-150400.9.5.1.src.rpm kubernetes1.24-client-1.24.13-150400.9.5.1.x86_64.rpm kubernetes1.24-client-common-1.24.13-150400.9.5.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2923 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). container-suseconnect-2.4.0-150000.4.32.1.src.rpm container-suseconnect-2.4.0-150000.4.32.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-2989 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for conmon fixes the following issues: conmon was updated to version 2.1.7: - Bumped go version to 1.19 (bsc#1209307). Bugfixes: - Fixed leaking symbolic links in the opt_socket_path directory. - Fixed cgroup oom issues (bsc#1208737). - Fixed OOM watcher for cgroupv2 `oom_kill` events. conmon-2.1.7-150400.3.11.1.src.rpm conmon-2.1.7-150400.3.11.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3299 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.18 fixes the following issues: - Update `Requires` in the "kubernetes1.18-client" package kubernetes1.18-1.18.10-150200.5.15.1.src.rpm kubernetes1.18-client-1.18.10-150200.5.15.1.x86_64.rpm kubernetes1.18-client-common-1.18.10-150200.5.15.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3057 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: This update rebuilds the kubevirt stack with the current GO release. kubevirt-0.54.0-150400.3.19.1.src.rpm kubevirt-manifests-0.54.0-150400.3.19.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.19.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3010 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer fixes the following issues: This update rebuilds containerized-data-importer against the current GO security release. containerized-data-importer-1.51.0-150400.4.16.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.16.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3536 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for docker fixes the following issues: - Update to Docker 24.0.5-ce. See upstream changelong online at <https://docs.docker.com/engine/release-notes/24.0/#2405> bsc#1213229 - Update to Docker 24.0.4-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500 - Update to Docker 24.0.3-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120 - Recommend docker-rootless-extras instead of Require(ing) it, given it's an additional functionality and not inherently required for docker to function. - Add docker-rootless-extras subpackage (https://docs.docker.com/engine/security/rootless) - Update to Docker 24.0.2-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368 * Includes the upstreamed fix for the mount table pollution issue. bsc#1210797 - Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as being provided by this package. - was rebuilt against current GO compiler. Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? docker-24.0.5_ce-150000.185.1.src.rpm docker-24.0.5_ce-150000.185.1.x86_64.rpm docker-bash-completion-24.0.5_ce-150000.185.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3260 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.24 fixes the following issues: Update to version 1.24.16: - CVE-2023-2727: Fixed bypassing policies imposed by the ImagePolicyWebhook admission plugin(bsc#1211630). - CVE-2023-2728: Fixed bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin (bsc#1211631). kubernetes1.24-1.24.16-150400.9.8.2.src.rpm kubernetes1.24-client-1.24.16-150400.9.8.2.x86_64.rpm kubernetes1.24-client-common-1.24.16-150400.9.8.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3264 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). container-suseconnect-2.4.0-150000.4.34.1.src.rpm container-suseconnect-2.4.0-150000.4.34.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3815 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). cni-0.7.1-150100.3.14.1.src.rpm cni-0.7.1-150100.3.14.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3816 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). cni-plugins-0.8.6-150100.3.17.1.src.rpm cni-plugins-0.8.6-150100.3.17.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3532 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of kubernetes1.18 fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). kubernetes1.18-1.18.10-150200.5.17.1.src.rpm kubernetes1.18-client-1.18.10-150200.5.17.1.x86_64.rpm kubernetes1.18-client-common-1.18.10-150200.5.17.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3531 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of buildah fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). buildah-1.29.1-150400.3.20.1.src.rpm buildah-1.29.1-150400.3.20.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3539 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.36.1.src.rpm container-suseconnect-2.4.0-150000.4.36.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3817 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of containerd fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). containerd-1.6.21-150000.95.1.src.rpm containerd-1.6.21-150000.95.1.x86_64.rpm containerd-ctr-1.6.21-150000.95.1.x86_64.rpm containerd-devel-1.6.21-150000.95.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3952 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of runc fixes the following issues: - Update to runc v1.1.8. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.1.8>. - rebuild the package with the go 1.21 security release (bsc#1212475). runc-1.1.8-150000.49.1.src.rpm runc-1.1.8-150000.49.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4194 low SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This feature update for python3 packages adds the following: - First batch of python3.11 modules (jsc#PED-68) - Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate the new 3.11 versions, this 3 packages have no code changes. python3-kubernetes-26.1.0-150400.16.2.noarch.rpm python3-kubernetes-26.1.0-150400.16.2.src.rpm SUSE-SLE-Module-Containers-15-SP4-2023-3834 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.38.1.src.rpm container-suseconnect-2.4.0-150000.4.38.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4124 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: helm was updated to version 3.13.1: * Fixing precedence issue with the import of values. * Add missing with clause to release gh action * FIX Default ServiceAccount yaml * fix(registry): unswallow error * remove useless print during prepareUpgrade * fix(registry): address anonymous pull issue * Fix missing run statement on release action * Write latest version to get.helm.sh bucket * Increased release information key name max length. helm was updated to version 3.13.0 (bsc#1215588): * Fix leaking goroutines in Install * Update Helm to use k8s 1.28.2 libraries * make the dependabot k8s.io group explicit * use dependabot's group support for k8s.io dependencies * doc:Executing helm rollback release 0 will roll back to the previous release * Use labels instead of selectorLabels for pod labels * fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook * chore: HTTPGetter add default timeout * Avoid nil dereference if passing a nil resolver * Add required changes after merge * Fix #3352, add support for --ignore-not-found just like kubectl delete * Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject * Restore `helm get metadata` command * Revert "Add `helm get metadata` command" * test: replace `ensure.TempDir` with `t.TempDir` * use json api url + report curl/wget error on fail * Added error in case try to supply custom label with name of system label during install/upgrade * fix(main): fix basic auth for helm pull or push * cmd: support generating index in JSON format * repo: detect JSON and unmarshal efficiently * Tweaking new dry-run internal handling * bump kubernetes modules to v0.27.3 * Remove warning for template directory not found. * Added tests for created OCI annotation time format * Add created OCI annotation * Fix multiple bugs in values handling * chore: fix a typo in `manager.go` * add GetRegistryClient method * oci: add tests for plain HTTP and insecure HTTPS registries * oci: Add flag `--plain-http` to enable working with HTTP registries * docs: add an example for using the upgrade command with existing values * Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go * Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go * update kubernetes dependencies from v0.27.0 to v0.27.1 * Add ClientOptResolver to test util file * Check that missing keys are still handled in tpl * tests: change crd golden file to match after #11870 * Adding details on the Factory interface * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137 * bugfix:(#11391) helm lint infinite loop when malformed template object * pkg/engine: fix nil-dereference * pkg/chartutil: fix nil-dereference * pkg/action: fix nil-dereference * full source path when output-dir is not provided * added Contributing.md section and ref link in the README * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137 * feat(helm): add ability for --dry-run to do lookup functions * Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output * Adjust `get` command description to account metadata * add volumes and volumeMounts in chartutil * Seed a default switch to control `automountServiceAccountToken` * Avoid confusing error when passing in '--version X.Y.Z' * Add `helm get metadata` command * Use wrapped error so that ErrNoObjectsVisited can be compared after return. * Add exact version test. * strict file permissions of repository.yaml * Check redefinition of define and include in tpl * Check that `.Template` is passed through `tpl` * Make sure empty `tpl` values render empty. * Pick the test improvement out of PR#8371 * #11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well * #11369 Add a test case to prove the bug and its resolution * ref(helm): export DescriptorPullSummary fields * feat(helm): add 'ClientOptResolver' ClientOption * Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests * Fixing tests after adding labels to release fixture * Make default release fixture contain custom labels to make tests check that labels are not lost * Added support for storing custom labels in SQL storage driver * Adding support merging new custom labels with original release labels during upgrade * Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release * Added unit tests for implemented install/upgrade labels logic * Remove redudant types from util_test.go * Added tests for newly introduced util.go functions * Fix broken tests for SQL storage driver * Fix broken tests for configmap and secret storage drivers * Make superseded releases keep labels * Support configmap storage driver for install/upgrade actions --labels argument * Added upgrade --install labels argument support * Add labels support for install action with secret storage backend * test: added tests to load plugin from home dir with space * fix: plugin does not load when helm base dir contains space * Add priority class to kind sorter * Fixes #10566 * test(search): add mixedCase test case * fix(search): print repo search result in original case * Adjust error message wrongly claiming that there is a resource conflict * Throw an error from jobReady() if the job exceeds its BackoffLimit * github: add Asset Transparency action for GitHub releases Update to version 3.12.3: * bump kubernetes modules to v0.27.3 * Add priority class to kind sorter Update to version 3.12.2: * add GetRegistryClient method Update to version 3.12.1: * bugfix:(#11391) helm lint infinite loop when malformed template object * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * test(search): add mixedCase test case * fix(search): print repo search result in original case * strict file permissions of repository.yaml * update kubernetes dependencies from v0.27.0 to v0.27.1 Update to version 3.12.0: * Attach annotations to OCI artifacts * Fix goroutine leak in action install * fix quiet lint does not fail on non-linting errors * create failing test for quietly linting a chart that doesn't exist * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * fix: failed testcase on windows * Fix 32bit-x86 typo in testsuite * Handle failed DNS case for Go 1.20+ * Updating the Go version in go.mod * Fix goroutine leak in perform * Properly invalidate client after CRD install * Provide a helper to set the registryClient in cmd * Reimplemented change in httpgetter for insecure TLS option * Added insecure option to login subcommand * Added support for insecure OCI registries * Enable custom certificates option for OCI * Add testing to default and release branches * Remove job dependency. Should have done when I moved job to new file * Remove check to run only in helm org * Add why comments * Convert remaining CircleCI config to GitHub Actions * Changed how the setup-go action sets go version * chore:Use http constants as http.request parameters * update k8s registry domain * don't mark issues as stale where a PR is in progress * Update to func handling * Add option to support cascade deletion options * the linter varcheck and deadcode are deprecated (since v1.49.0) * Check status code before retrying request * Fix improper use of Table request/response to k8s API * fix template --output-dir issue * Add protection for stack-overflows for nested keys * feature(helm): add --set-literal flag for literal string interpretation Update to version 3.11.3: * Fix goroutine leak in perform * Fix goroutine leak in action install * Fix 32bit-x86 typo in testsuite * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) - avoid CGO to workaround missing gold dependency (bsc#1183043) helm-3.13.1-150000.1.26.1.src.rpm helm-3.13.1-150000.1.26.1.x86_64.rpm helm-bash-completion-3.13.1-150000.1.26.1.noarch.rpm helm-zsh-completion-3.13.1-150000.1.26.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4042 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for conmon fixes the following issues: conmon was rebuilt using go1.21 (bsc#1215806) conmon-2.1.7-150400.3.14.1.src.rpm conmon-2.1.7-150400.3.14.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4125 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.40.2.src.rpm container-suseconnect-2.4.0-150000.4.40.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4365 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.25 fixes the following issues: This update ships the kubernetes1.25-client package. (jsc#PED-5839) kubernetes1.25-1.25.14-150400.9.3.2.src.rpm kubernetes1.25-client-1.25.14-150400.9.3.2.x86_64.rpm kubernetes1.25-client-common-1.25.14-150400.9.3.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4366 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.26 fixes the following issues: This update ships the kubernetes1.26-client package. (jsc#PED-5839) kubernetes1.26-1.26.9-150400.9.3.2.src.rpm kubernetes1.26-client-1.26.9-150400.9.3.2.x86_64.rpm kubernetes1.26-client-common-1.26.9-150400.9.3.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4341 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.27 fixes the following issues: This update ships the kubernetes1.27-client package. (jsc#PED-5839) kubernetes1.27-1.27.6-150400.9.3.2.src.rpm kubernetes1.27-client-1.27.6-150400.9.3.2.x86_64.rpm kubernetes1.27-client-common-1.27.6-150400.9.3.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4340 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.28 fixes the following issues: This update ships the kubernetes1.28-client package. (jsc#PED-5839) kubernetes1.28-1.28.2-150400.9.3.3.src.rpm kubernetes1.28-client-1.28.2-150400.9.3.3.x86_64.rpm kubernetes1.28-client-common-1.28.2-150400.9.3.3.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4126 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). cni-0.7.1-150100.3.16.1.src.rpm cni-0.7.1-150100.3.16.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4127 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). cni-plugins-0.8.6-150100.3.20.1.src.rpm cni-plugins-0.8.6-150100.3.20.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4936 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for docker, rootlesskit fixes the following issues: docker: - Update to Docker 24.0.7-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Update to Docker 24.0.6-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2406 . bsc#1215323 - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 - Update to Docker 24.0.5-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2405 . bsc#1213229 This update ships docker-rootless support in the docker-rootless-extra package. (jsc#PED-6180) rootlesskit: - new package, for docker rootless support. (jsc#PED-6180) Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? docker-24.0.7_ce-150000.190.4.src.rpm docker-24.0.7_ce-150000.190.4.x86_64.rpm docker-bash-completion-24.0.7_ce-150000.190.4.noarch.rpm docker-rootless-extras-24.0.7_ce-150000.190.4.noarch.rpm rootlesskit-1.1.1-150000.1.3.3.src.rpm rootlesskit-1.1.1-150000.1.3.3.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4139 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages containerd-1.7.7-150000.100.1.src.rpm containerd-1.7.7-150000.100.1.x86_64.rpm containerd-ctr-1.7.7-150000.100.1.x86_64.rpm containerd-devel-1.7.7-150000.100.1.x86_64.rpm runc-1.1.9-150000.52.2.src.rpm runc-1.1.9-150000.52.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4098 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of buildah fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). buildah-1.29.1-150400.3.22.1.src.rpm buildah-1.29.1-150400.3.22.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4498 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubernetes1.24 fixes the following issues: - Fixes for bsc#1214406 * Update 'Wants' directive in [Unit] section of 'kubelet.service' by replacing 'docker.service' with 'containerd.service' * Add parameter to determine whether packets crossing a bridge are sent to iptables for processing. * Update 'kubeadm.conf' to add 'overlay' kernel module - Update to version 1.24.17: * Release commit for Kubernetes v1.24.17 * Use environment variables for parameters in Powershell and for passing path * Fix capture loop vars in parallel or ginkgo tests * Update protoc check for verify-generated-kms * Bump images, versions and deps to use Go 1.20.7 * Attempt to use AES-GCM before AES-CBC on reads kubernetes1.24-1.24.17-150400.9.11.2.src.rpm kubernetes1.24-client-1.24.17-150400.9.11.2.x86_64.rpm kubernetes1.24-client-common-1.24.17-150400.9.11.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4309 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.42.1.src.rpm container-suseconnect-2.4.0-150000.4.42.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4357 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: kubevirt is rebuilt against the current GO security release. - Set cache mode on hotplugged disks - Delete VMI prior to NFS server pod in tests kubevirt-0.54.0-150400.3.23.1.src.rpm kubevirt-manifests-0.54.0-150400.3.23.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.23.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4416 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerized-data-importer fixes the following issue: - rebuild with current go compiler containerized-data-importer-1.51.0-150400.4.20.2.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.20.2.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4726 low SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for podman fixes the following issues: - Build against latest stable Go version (bsc#1210299) podman-4.4.4-150400.4.19.1.src.rpm podman-4.4.4-150400.4.19.1.x86_64.rpm podman-cni-config-4.4.4-150400.4.19.1.noarch.rpm podman-docker-4.4.4-150400.4.19.1.noarch.rpm podman-remote-4.4.4-150400.4.19.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4509 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for helm fixes the following issues: - Update to version 3.13.2 (bsc#1217013) - Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013) - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. helm-3.13.2-150000.1.29.1.src.rpm helm-3.13.2-150000.1.29.1.x86_64.rpm helm-bash-completion-3.13.2-150000.1.29.1.noarch.rpm helm-zsh-completion-3.13.2-150000.1.29.1.noarch.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4511 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.44.1.src.rpm container-suseconnect-2.4.0-150000.4.44.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4693 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: Kubevirt is rebuilt against updated dependencies to fix security issues. kubevirt-0.54.0-150400.3.26.1.src.rpm kubevirt-manifests-0.54.0-150400.3.26.1.x86_64.rpm kubevirt-virtctl-0.54.0-150400.3.26.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4974 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for distribution fixes the following issues: distribution was updated to 2.8.3 (bsc#1216491): * Pass `BUILDTAGS` argument to `go build` * Enable Go build tags * `reference`: replace deprecated function `SplitHostname` * Dont parse errors as JSON unless Content-Type is set to JSON * update to go 1.20.8 * Set `Content-Type` header in registry client `ReadFrom` * deprecate reference package, migrate to github.com/distribution/reference * `digestset`: deprecate package in favor of `go-digest/digestset` * Do not close HTTP request body in HTTP handler distribution-2.8.3-150400.9.24.1.src.rpm distribution-registry-2.8.3-150400.9.24.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4689 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer fixes the following issues: This update rebuilds containerized-data-importer and its containers against updated GO and updated base images. containerized-data-importer-1.51.0-150400.4.23.1.src.rpm containerized-data-importer-manifests-1.51.0-150400.4.23.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4727 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of runc and containerd fixes the following issues: containerd: - Update to containerd v1.7.8. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8 * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528) catatonit: - Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later. - Update to catatont v0.1.7 * This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). runc: - Update to runc v1.1.10. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.10 containerd-1.7.8-150000.103.1.src.rpm containerd-1.7.8-150000.103.1.x86_64.rpm containerd-ctr-1.7.8-150000.103.1.x86_64.rpm containerd-devel-1.7.8-150000.103.1.x86_64.rpm runc-1.1.10-150000.55.1.src.rpm runc-1.1.10-150000.55.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2023-4807 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). container-suseconnect-2.4.0-150000.4.46.1.src.rpm container-suseconnect-2.4.0-150000.4.46.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2024-254 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for containerd fixes the following issues: - Fix permissions of address file (bsc#1217952) - Update to version 1.7.10 containerd-1.7.10-150000.106.1.src.rpm containerd-1.7.10-150000.106.1.x86_64.rpm containerd-ctr-1.7.10-150000.106.1.x86_64.rpm containerd-devel-1.7.10-150000.106.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2024-261 moderate SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for conmon fixes the following issues: - New upstream release 2.1.10 Bug fixes: * Fix incorrect free in conn_sock * logging: Respect log-size-max immediately after open - Add patch for fixing regression in v2.1.9 (https://github.com/containers/conmon/issues/475 and https://github.com/containers/conmon/issues/477) - New upstream release 2.1.9 ### Bug fixes * fix some issues flagged by SAST scan * src: fix write after end of buffer * src: open all files with O_CLOEXEC * oom-score: restore oom score before running exit command ### Features * Forward more messages on the sd-notify socket * logging: -l passthrough accepts TTYs * [bsc#1215806] - Update to version 2.1.8: * stdio: ignore EIO for terminals (bsc#1217773) * ensure console socket buffers are properly sized * conmon: drop return after pexit() * ctrl: make accept4 failures fatal * logging: avoid opening /dev/null for each write * oom: restore old OOM score * Use default umask 0022 * cli: log parsing errors to stderr * Changes to build conmon for riscv64 * Changes to build conmon for ppc64le * Fix close_other_fds on FreeBSD conmon-2.1.10-150400.3.17.1.src.rpm conmon-2.1.10-150400.3.17.1.x86_64.rpm SUSE-SLE-Module-Containers-15-SP4-2024-586 important SUSE Updates SLE-Module-Containers 15-SP4 x86 64 This update for docker fixes the following issues: Vendor latest buildkit v0.11 including bugfixes for the following: * CVE-2024-23653: BuildKit API doesn't validate entitlement on container creation (bsc#1219438). * CVE-2024-23652: Fixed arbitrary deletion of files (bsc#1219268). * CVE-2024-23651: Fixed race condition in mount (bsc#1219267). Updating docker will restart the docker service, which may stop some of your docker containers. Do you want to proceed with the update? docker-24.0.7_ce-150000.193.1.src.rpm docker-24.0.7_ce-150000.193.1.x86_64.rpm docker-bash-completion-24.0.7_ce-150000.193.1.noarch.rpm docker-rootless-extras-24.0.7_ce-150000.193.1.noarch.rpm