Merge pull request #13133 from mheon/bump_400_rc4

Bump to v4.0.0-RC4

Author: openshift-merge-robot

RELEASE_NOTES.md

@@ -73,6 +73,7 @@
 - The Podman APIs for Manifest List and Network operations have been completely rewritten to address issues and inconsistencies in the previous APIs.
 - The `make install` makefile target no longer implicitly builds Podman, and will fail if `make` was not run prior to it.
 - The `podman rm --depends`, `podman rmi --force`, and `podman network rm --force` commands can now remove pods if a they need to remove an infra container (e.g. `podman rmi --force` on the infra image will remove all pods and infra containers). Previously, any command that tried to remove an infra container would error.
+- The `podman system reset` command now removes all networks on the system, in addition to all volumes, pods, containers, and images.
 - If the `CONTAINER_HOST` environment variable is set, Podman will default to connecting to the remote Podman service specified by the environment variable, instead of running containers locally ([#11196](https://github.com/containers/podman/issues/11196)).
 - Healthcheck information from `podman inspect` on a container has had its JSON tag renamed from `Healthcheck` to `Health` for improved Docker compatibility. An alias has been added so that using the old name with the `--format` option will still work ([#11645](https://github.com/containers/podman/issues/11645)).
 - Secondary IP and IPv6 addresses from `podman inspect` on a container (`SecondaryIPAddresses` and `SecondaryIPv6Addresses`) have been changed from arrays of strings to arrays of structs for improved Docker compatibility (the struct now includes IP address and prefix length).
@@ -85,6 +86,8 @@
 ### Changes
 - Podman containers will now automatically add the container's short ID as a network alias when connected to a supporting network ([#11748](https://github.com/containers/podman/issues/11748)).
 - The `podman machine stop` command will now log when machines are successfully stopped ([#11542](https://github.com/containers/podman/issues/11542)).
+- The `podman machine stop` command now waits until the VM has stopped to return; previously, it returned immediately after the shutdown command was sent, without waiting for the VM to shut down.
+- VMs created by `podman machine` now delegate more cgroup controllers to the rootless user used to run containers, allowing for additional resource limits to be used ([#13054](https://github.com/containers/podman/issues/13054)).
 - The `podman stop` command will now log a warning to the console if the stop timeout expires and `SIGKILL` must be used to stop the container ([#11854](https://github.com/containers/podman/issues/11854)).
 - Several performance optimizations have been implemented that should speed up container and pod creation, and running containers and pods that forward large ranges of ports.
 - The `--no-trunc` argument to the `podman search` command now defaults to true.
@@ -96,7 +99,6 @@
 - The `--cni-config-dir` option to all Podman commands has been renamed to `--network-config-dir` as it will not be used with Netavark as well as CNI. The old name has been aliased to the new one and will still function, but may be removed in a future release.
 - The `--format` option to all Podman commands has been changed to improved functionality and Docker compatibility ([#10974](https://github.com/containers/podman/issues/10974)).
 - The `podman ps --external` flag previously required `--all` to also be specified; this is no longer true
-- The `podman machine stop` command now waits until the VM has stopped to return; previously, it returned immediately after the shutdown command was sent, without waiting for the VM to shut down.
 - The port-forwarding logic previously contined in the `podman-machine-cni` CNI plugin has been integrated directly into Podman. The `podman-machine-cni` plugin is no longer necessary and should be removed.
 - The `--device` flag to `podman create`, `podman run`, and `podman pod create` would previously refuse to mount devices when Podman was run as a non-root user and no permission to access the device was available; it will now mount these devices without checking permissions ([#12704](https://github.com/containers/podman/issues/12704)).
 
@@ -130,6 +132,7 @@
 - Fixed a bug where VMs created by `podman machine` did not match their timezone to the host system ([#11895](https://github.com/containers/podman/issues/11895)).
 - Fixed a bug where container healthchecks were not properly cleaning up generated systemd services, leading to healthcheck failures after containers were restarted.
 - Fixed a bug where the `podman build` command did not properly propagate non-0 exit codes from Buildah when builds failed.
+- Fixed a bug where the remote Podman client's `podman build` command could fail to build images when the remote client was run on Windows and the Containerfile contained `COPY` instructions ([#13119](https://github.com/containers/podman/issues/13119)).
 - Fixed a bug where the remote Podman client's `--secret` option to the `podman build` command was nonfunctional.
 - Fixed a bug where the remote Podman client's `podman build` command would error if given a relative path to a Containerfile ([#12841](https://github.com/containers/podman/issues/12841)).
 - Fixed a bug where the `podman generate kube` command would sometimes omit environment variables set in containers from generated YAML.
@@ -150,6 +153,9 @@
 - Fixed a bug where, when Podman's storage directories were on an NFS filesystem, Podman would leave some unneeded file descriptors open, causing errors when containers were removed.
 - Fixed a bug where, when Podman's storage directories were on an NFS filesystem, cleaning up a container's exec sessions could fail.
 - Fixed a bug where Podman commands that operate on a container could give an incorrect error message if given a partial ID that could refer to 2 or more containers ([#12963](https://github.com/containers/podman/issues/12963)).
+- Fixed a bug where the `podman stats` command would not show network usage statistics on containers using `slirp4netns` for networking ([#11695](https://github.com/containers/podman/issues/11695)).
+- Fixed a bug where the `/dev/shm` mount in the container was not mounted with `nosuid`, `noexec`, and `nodev` mount options.
+- Fixed a bug where the `--shm-size` option to `podman create` and `podman run` interpeted human-readable sizes as KB instead of KiB, and GB instead of GiB (such that a kilobyte was interpreted as 1000 bytes, instead of 1024 bytes) ([#13096](https://github.com/containers/podman/issues/13096)).
 
 ### API
 - The Podman remote API version has been bumped to v4.0.0.

cmd/podman/common/netflags.go

@@ -103,69 +103,79 @@ func NetFlagsToNetOptions(opts *entities.NetOptions, flags pflag.FlagSet) (*enti
 		opts = &entities.NetOptions{}
 	}
 
-	opts.AddHosts, err = flags.GetStringSlice("add-host")
-	if err != nil {
-		return nil, err
-	}
-	// Verify the additional hosts are in correct format
-	for _, host := range opts.AddHosts {
-		if _, err := parse.ValidateExtraHost(host); err != nil {
+	if flags.Changed("add-host") {
+		opts.AddHosts, err = flags.GetStringSlice("add-host")
+		if err != nil {
 			return nil, err
 		}
+		// Verify the additional hosts are in correct format
+		for _, host := range opts.AddHosts {
+			if _, err := parse.ValidateExtraHost(host); err != nil {
+				return nil, err
+			}
+		}
 	}
 
-	servers, err := flags.GetStringSlice("dns")
-	if err != nil {
-		return nil, err
-	}
-	for _, d := range servers {
-		if d == "none" {
-			opts.UseImageResolvConf = true
-			if len(servers) > 1 {
-				return nil, errors.Errorf("%s is not allowed to be specified with other DNS ip addresses", d)
-			}
-			break
+	if flags.Changed("dns") {
+		servers, err := flags.GetStringSlice("dns")
+		if err != nil {
+			return nil, err
 		}
-		dns := net.ParseIP(d)
-		if dns == nil {
-			return nil, errors.Errorf("%s is not an ip address", d)
+		for _, d := range servers {
+			if d == "none" {
+				opts.UseImageResolvConf = true
+				if len(servers) > 1 {
+					return nil, errors.Errorf("%s is not allowed to be specified with other DNS ip addresses", d)
+				}
+				break
+			}
+			dns := net.ParseIP(d)
+			if dns == nil {
+				return nil, errors.Errorf("%s is not an ip address", d)
+			}
+			opts.DNSServers = append(opts.DNSServers, dns)
 		}
-		opts.DNSServers = append(opts.DNSServers, dns)
 	}
 
-	options, err := flags.GetStringSlice("dns-opt")
-	if err != nil {
-		return nil, err
+	if flags.Changed("dns-opt") {
+		options, err := flags.GetStringSlice("dns-opt")
+		if err != nil {
+			return nil, err
+		}
+		opts.DNSOptions = options
 	}
-	opts.DNSOptions = options
 
-	dnsSearches, err := flags.GetStringSlice("dns-search")
-	if err != nil {
-		return nil, err
-	}
-	// Validate domains are good
-	for _, dom := range dnsSearches {
-		if dom == "." {
-			if len(dnsSearches) > 1 {
-				return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
-			}
-			continue
-		}
-		if _, err := parse.ValidateDomain(dom); err != nil {
+	if flags.Changed("dns-search") {
+		dnsSearches, err := flags.GetStringSlice("dns-search")
+		if err != nil {
 			return nil, err
 		}
+		// Validate domains are good
+		for _, dom := range dnsSearches {
+			if dom == "." {
+				if len(dnsSearches) > 1 {
+					return nil, errors.Errorf("cannot pass additional search domains when also specifying '.'")
+				}
+				continue
+			}
+			if _, err := parse.ValidateDomain(dom); err != nil {
+				return nil, err
+			}
+		}
+		opts.DNSSearch = dnsSearches
 	}
-	opts.DNSSearch = dnsSearches
 
-	inputPorts, err := flags.GetStringSlice("publish")
-	if err != nil {
-		return nil, err
-	}
-	if len(inputPorts) > 0 {
-		opts.PublishPorts, err = specgenutil.CreatePortBindings(inputPorts)
+	if flags.Changed("publish") {
+		inputPorts, err := flags.GetStringSlice("publish")
 		if err != nil {
 			return nil, err
 		}
+		if len(inputPorts) > 0 {
+			opts.PublishPorts, err = specgenutil.CreatePortBindings(inputPorts)
+			if err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	opts.NoHosts, err = flags.GetBool("no-hosts")

cmd/podman/images/scp.go

@@ -146,6 +146,17 @@ func scp(cmd *cobra.Command, args []string) (finalErr error) {
 		return err
 	}
 
+	allLocal := true // if we are all localhost, do not validate connections but if we are using one localhost and one non we need to use sshd
+	for _, val := range cliConnections {
+		if !strings.Contains(val, "@localhost::") {
+			allLocal = false
+			break
+		}
+	}
+	if allLocal {
+		cliConnections = []string{}
+	}
+
 	var serv map[string]config.Destination
 	serv, err = GetServiceInformation(cliConnections, cfg)
 	if err != nil {

cmd/podman/images/scp_utils.go

@@ -17,12 +17,13 @@ func parseImageSCPArg(arg string) (*entities.ImageScpOptions, []string, error) {
 	cliConnections := []string{}
 
 	switch {
-	case strings.Contains(arg, "@localhost"): // image transfer between users
+	case strings.Contains(arg, "@localhost::"): // image transfer between users
 		location.User = strings.Split(arg, "@")[0]
 		location, err = validateImagePortion(location, arg)
 		if err != nil {
 			return nil, nil, err
 		}
+		cliConnections = append(cliConnections, arg)
 	case strings.Contains(arg, "::"):
 		location, err = validateImagePortion(location, arg)
 		if err != nil {

cmd/podman/pods/create.go

@@ -75,7 +75,7 @@ func init() {
 	if !registry.IsRemote() {
 		defInfraImage = containerConfig.Engine.InfraImage
 	}
-	flags.StringVar(&infraImage, infraImageFlagName, defInfraImage, "The image of the infra container to associate with the pod")
+	flags.StringVar(&infraImage, infraImageFlagName, defInfraImage, "Image to use to override builtin infra container")
 	_ = createCommand.RegisterFlagCompletionFunc(infraImageFlagName, common.AutocompleteImages)
 
 	podIDFileFlagName := "pod-id-file"

cmd/podman/system/reset.go

@@ -21,7 +21,7 @@ import (
 var (
 	systemResetDescription = `Reset podman storage back to default state"
 
-  All containers will be stopped and removed, and all images, volumes and container content will be removed.
+  All containers will be stopped and removed, and all images, volumes, networks and container content will be removed.
 `
 	systemResetCommand = &cobra.Command{
 		Annotations:       map[string]string{registry.EngineMode: registry.ABIMode},
@@ -55,11 +55,11 @@ func reset(cmd *cobra.Command, args []string) {
 	// Prompt for confirmation if --force is not set
 	if !forceFlag {
 		reader := bufio.NewReader(os.Stdin)
-		fmt.Println(`
-WARNING! This will remove:
+		fmt.Println(`WARNING! This will remove:
         - all containers
         - all pods
         - all images
+        - all networks
         - all build cache`)
 		if len(listCtn) > 0 {
 			fmt.Println(`WARNING! The following external containers will be purged:`)

docs/source/markdown/podman-attach.1.md

@@ -22,7 +22,7 @@ The default is `ctrl-p,ctrl-q`.
 
 Instead of providing the *container ID* or *name*, use the last created *container*. If other methods than Podman are used to run *containers* such as `CRI-O`, the last started *container* could be from either of those methods.\
 The default is **false**.\
-*IMPORTANT: This OPTION is not available with the remote Podman client. This OPTION does not need a container name or ID as input argument.*
+*IMPORTANT: This OPTION is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines. This OPTION does not need a container name or ID as input argument.*
 
 #### **--no-stdin**
 

docs/source/markdown/podman-build.1.md

@@ -94,7 +94,7 @@ resulting image's configuration.
 #### **--cache-from**
 
 Images to utilize as potential cache sources. Podman does not currently support
-caching so this is a NOOP. (This option is not available with the remote Podman client)
+caching so this is a NOOP. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
 #### **--cap-add**=*CAP\_xxx*
 
@@ -119,7 +119,7 @@ given.
 #### **--cert-dir**=*path*
 
 Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d)
-Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client)
+Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
 #### **--cgroup-parent**=*path*
 
@@ -138,7 +138,7 @@ that the cgroup namespace in which `buildah` itself is being run should be reuse
 
 This option is added to be aligned with other containers CLIs.
 Podman doesn't communicate with a daemon or a remote server.
-Thus, compressing the data before sending it is irrelevant to Podman. (This option is not available with the remote Podman client)
+Thus, compressing the data before sending it is irrelevant to Podman. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
 #### **--cpu-period**=*limit*
 
@@ -257,7 +257,7 @@ specifying **--disable-compression=false**.
 
 This is a Docker specific option to disable image verification to a container
 registry and is not supported by Podman.  This option is a NOOP and provided
-solely for scripting compatibility. (This option is not available with the remote Podman client)
+solely for scripting compatibility. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
 #### **--dns**=*dns*
 
@@ -546,7 +546,7 @@ size entirely, the system uses `64m`.
 
 #### **--sign-by**=*fingerprint*
 
-Sign the image using a GPG key with the specified FINGERPRINT. (This option is not available with the remote Podman client)
+Sign the image using a GPG key with the specified FINGERPRINT. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines,)
 
 #### **--squash**
 
@@ -600,7 +600,7 @@ timestamp.
 #### **--tls-verify**
 
 Require HTTPS and verify certificates when talking to container registries
-(defaults to true). (This option is not available with the remote Podman client)
+(defaults to true). (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
 #### **--ulimit**=*type*=*soft-limit*[:*hard-limit*]
 
@@ -727,7 +727,7 @@ using the architecture variant of the build host.
 
    Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman
    bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman
-   container. (This option is not available with the remote Podman client)
+   container. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
    The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup>
 

docs/source/markdown/podman-container-checkpoint.1.md

@@ -57,7 +57,7 @@ The default is **false**.
 
 Instead of providing the *container ID* or *name*, use the last created *container*. If other methods than Podman are used to run *containers* such as `CRI-O`, the last started *container* could be from either of those methods.\
 The default is **false**.\
-*IMPORTANT: This OPTION is not available with the remote Podman client. This OPTION does not need a container name or ID as input argument.*
+*IMPORTANT: This OPTION is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines. This OPTION does not need a container name or ID as input argument.*
 
 #### **--leave-running**, **-R**
 

docs/source/markdown/podman-container-cleanup.1.md

@@ -27,7 +27,7 @@ Can only be specified if a single *container* is being cleaned up (conflicts wit
 
 Instead of providing the *container ID* or *name*, use the last created *container*. If other methods than Podman are used to run *containers* such as `CRI-O`, the last started *container* could be from either of those methods.\
 The default is **false**.\
-*IMPORTANT: This OPTION is not available with the remote Podman client. This OPTION does not need a container name or ID as input argument.*
+*IMPORTANT: This OPTION is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines. This OPTION does not need a container name or ID as input argument.*
 
 #### **--rm**