
r/podman

I cannot properly express my unending gratitude to whoever implemented `rootless_port_forwarder = "pasta"`
I can finally have a completely rootless container stack inside a custom podman network where the only ingress is through a reverse proxy container. The inability for my service containers to see the true source IP was literally the only thing holding me back from going rootless and it is finally HERE! 🎉
I simply added:
[network]
rootless_port_forwarder = "pasta"
into a drop-in conf file in /etc/containers/containers.conf.d and now my Nextcloud and Jellyfin can see where requests are actually coming from instead of my proxy container's internal IP. That means proper brute-force protection in Nextcloud and the ability to do IP banning.
I could not be happier with this setup. Huge thanks to the wonderful human beings who made this possible!
Podman stop command doesn't work (WARN[0010] StopSignal issue)
So I'm on Gentoo and I am currently using podman with distrobox.
Every time I create a container then try to stop it I get this warning/error:
WARN[0010] StopSignal SIGTERM failed to stop container "container-name" in 10 seconds, resorting to SIGKILL
I can attempt to stop the container using distrobox and still experience the same thing. I then check to see if it has stopped, but it never is. For now, the only way I can truly stop a container is using the "podman kill" command.
I like using this with Distrobox as I can containerize different linux distro dev environments, and this has been occurring regardless of what image I pull. I really like using Podman and I'd hate to have to go back to Docker because of this. With all the research I've done on this problem, I've lost count on how many other cases I've found where people have experienced this exact same problem, without getting any kind of hint or lead as to how to go about fixing this.
Of course any advice or feedback would be greatly appreciated. Many thanks in advance.
user:group = 524320:524320
I'm struggling with user rights of bind clients folders to host. And am just wondering what is the usecase of creating these new user:group rights? When would I want to have host folders and files with owner 524320:524320? I suspect this an edge case and the majority just wants direct rw access to these folders and files. from my compose.yaml:
volumes:
- ./wp-content:/var/www/html/wp-content:Z
Web-Based Formatting Tool for Podman
Hi everyone, I’m here to show you a tool I just developed to convert commands, Compose files, and Quadlets files into one another.
I’ve been experimenting with self-hosting on my home servers using containers, and on the new server I got, I wanted to start using quadlets, but all my documentation on how I set up my server used either podman run or podman-compose. No problem switching over, but I had the idea to create a tool to quickly convert between the two.
So here’s the Quadletizador web (as you can see, it’s also hosted on my server). I thought it was fun to use it to generate the quadlet for my own deployment.
P.S.: If you try to access it and find that it’s down, it’s because I’m still working on improving my server’s stability.
podman 6.0.0 is out. Has anyone updated from 5.7.x or 5.8.x yet?
massive changelog...
Security
- This release addresses CVE-2026-57231, where a malicious image using malformed
Enventries could cause host environment variables to leak into containers run based on the image, including the ability to use the*glob operator to leak large numbers of environment variables without knowing their exact names (GHSA-4hq8-gpf5-8p68).
Breaking Changes
- Due to breaking changes in this release, Podman v6.0.0 must be used with Buildah v1.44.0, Skopeo v1.23, Netavark and Aardvark v2.0.0, and configuration files from the container-libs repository's common/v0.68.0 release.
- Support for BoltDB databases has been dropped. Starting Podman 6 when the BoltDB database is in use will have Podman attempt an automatic migration from BoltDB to SQLite.
- Support for running on Intel Macs has been removed.
- Support for running on Windows 10 has been removed.
- Support for running on cgroups v1 systems has been removed. Please update your system to use cgroups v2.
- Support for running on iptables has been removed. Please use nftables instead.
- Support for CNI networking has been removed. Please use Netavark instead.
- Support for the slirp4netns rootless network stack has been removed. Please use Pasta instead. As part of this, the
--network-cmd-pathglobal option, only used withslirp4netns, has been removed. - Podman's configuration file parsing logic has seen a major rewrite. Please see this document for exact details.
- Podman's import path has changed from
github.com/containers/podman/v5togo.podman.io/podman/v6as part of our move into a CNCF-owned GitHub organization. - Network isolation now defaults to enabled, improving Docker compatibility and security. A special workaround for the Docker-compatible API related to isolation being disabled has been removed (#27349).
- The way the
podman quadletsuite of commands functions has been changed. Previously, Quadlets and their associated files were tracked using a.appfile, ensuring that removing a Quadlet also removed all associated non-Quadlet files. Now, Quadlets and associated files are placed in subdirectories, which should reduce bugs and make manual management of Quadlets added bypodman quadlet installmuch easier. - VMs made by
podman machineon Linux now mount volumes from the host using systemd. Volume mounts on existingpodman machineVMs on Linux have been broken by this change, and the VM will need to be recreated. - The
podman volume prunecommand now matches Docker's behavior by only pruning unused anonymous volumes. Please use the newly-added--alloption for the previous behavior (pruning all volumes). - The
podman volume listcommand now combines multiple filters using logicalANDinstead of logicalOR(meaning all filters must match for a container to be included in output) (#26786). - The
label!=filter used in many commands now combines the output of multiple instances of the filter with logicalANDinstead of logicalOR. - The
--format='{{json .Labels}}option to thepodman ps,podman pod ps, andpodman volume lscommands now prints its output as comma-separatedkey=valuepairs instead of as a JSON map, improving Docker compatibility (#21847). - The
--all-providersoption topodman machine listhas been removed, as machines from all providers can now be accessed by all commands. - The
MemorySwappinessfield ofpodman inspectis now set tonilwhen not explicitly set by the user (instead of-1), improving Docker compatibility (#23824). - The
podman commitcommand now pauses the container while committing changes, improving security by restricting concurrent modification. The prior behavior can be restored by usingpodman commit --pause=false .... - The Go bindings for the REST API have removed the redundant
nameOrIDparameter from theartifacts.Remove()function. - The minimum Go version required to build Podman is now v1.25.
Features
- All
podman machinecommands can now operate on VMs from all providers, regardless of what the current provider is set to. The provider set in the configuration only determines the provider used by newly-created VMs, and can be overridden by the newpodman machine init --provideroption. This should make operation of Mac and Windows installs mixing use ofapplehvandlibkrunVMs, orhypervandwslVMs, much easier. - A new command has been added,
podman machine os update, which updates the operating system of apodman machineVM. Please note that this is not supported with thewslprovider. - A new command has been added,
podman system hyperv-prep, allowing Windows administrators to prepare a host for their users to runpodman machineVMs using thehypervprovider. - When starting a VM with
podman machine startandpodman machine init --now, if the connection to that VM is not the default, users will be prompted whether they want to change the default to the machine that was just started. This can also be controlled by a new option,--update-connection, which controls whether the default will be updated. If the--update-connectionoption is set, a user-interactive prompt is not displayed. - The
podman machine initandpodman machine setcommands now support a new option,--import-native-ca, which, when set, causespodman machineVMs on Windows, Linux, and Mac to import the host's trusted CA certificates each time the VM boots. - The
podman execcommand now has a new option,--no-session, disabling API session tracking and database operations to increase performance (#26727). - The
podman image list --format jsoncommand now includes two new fields for each image,RepositoryandTag(#27632). - The manpages for Quadlets have been split into multiple files, one for each type of Quadlet file, and should be much more readable.
- Quadlet
.volumeunits now support three new keys,UID=andGID=(to set the UID and GID that the volume will be created with) andOptions=(to set generic volume options). - Quadlet
.containerunits now support mounting anonymous volumes (using aMount=key with no source specified) (#28497). - Two new search paths for Quadlets have been added,
/usr/share/containers/systemd/usersand/usr/share/containers/systemd/users/${UID}, to allow distributions to more easily package and distribute Quadlets (#27843). - The
podman quadlet listcommand now has a new alias,podman quadlet ls. - The
podman quadlet listcommand now has a new option,--noheading, which disables printing the table header. This is set automatically if the--formatoption is used. - The
pomdan quadlet listcommand now includes a new field in its output,Pod, which prints the pod a Quadlet.containerunit is part of. - The
podman quadlet listcommand's--filteroption now supports a new filter,status=(#28369). - The
--gpusoption topodman createandpodman runis now compatible with AMD GPUs. - The
podman create,podman run, andpodman pod createcommands can now specify volumes with a new option,nocreate(e.g.podman run --mount type=volume,src=myvol,dst=/mnt,nocreate) which will error if the specified volume does not exist, instead of creating it. - The
--log-optoption to thepodman runandpodman createnow supports a new option,label=, to attach additional labels to logged messages (only usable with thejournaldlog driver). - Many Podman commands now expose a
--tls-detailsoption, allowing custom tuning of TLS settings using acontainers-tls-details.yaml(5)file. - The
diedevent for Containers now exposes a new attribute,OOMKilled, which (if set) indicates the container was stopped due to running out of memory (#26701). - Containers can now set multiple static IP addresses by passing the
ip=option to--netmultiple times (e.g.--net mynet:ip=10.0.0.2,ip=10.0.0.3,ip=10.0.0.4). - The
podman volume prunecommand now includes a new option,--all, to prune all unused volumes, not just anonymous volumes (#24597). - The
podman volume prunecommand now includes a new option,--dry-run, which returns the volumes that would be removed but does not actually remove them (#27838). - The
podman image scpcommand now includes a new option,--format, to set the archive format used for the image transfer (#28183). - A new field has been added to
containers.conf,default_host_ips, to set the default host IP that ports are forwarded from if an IP is not specified by the user (#27186). - The
podman image trustsuite of commands now support a new--signature-policyoption, which is mandatory forpodman image trust set. - Events now include artifact lifecycle events (
create,pull,push, andremove) (#27260). - A new experimental option for the
rootless_port_forwarderfield incontainers.confhas been added,rootless_port_forwarder="pasta". When set, rootless bridge networks will use Pasta's kernel-level port forwarding via Pesto instead of rootlessport, preserving the original client source IP in network traffic in rootless containers. The default remainsrootlessport(the default for Podman 5.x), but we will investigate switching at a later date when stability is more certain. - A new filter has been added to the
podman psandpodman container prunecommands,--filter annotation=, to filter containers based on their annotations (#28562). - The
podman network createcommand's--routeoption can now create blackhole, unreachable, and prohibit routes to prevent containers from reaching certain networks (e.g.podman network create --route10.20.30.40/24,blackhole...) (#20022). - Add support for blackhole, unreachable, and prohibit route types in podman networks. Supported since netavark 2.0.
- The
podman infocommand now reports CDI spec directories and discovered CDI devices. - Events generated by pods and volumes now include the pod/volume's labels as attributes, matching the behavior of container events (#26480).
Changes
- VMs created by
podman machinenow mount the host's user configurations (e.g.~/.config/containerson Linux) into the machine at/etc/containers, allowing users to edit the config files controlling Podman's behavior directly. - The default
podman machineprovider on Macs has been changed tolibkrun. - Starting and stopping
podman machineVMs on Windows with thehypervprovider no longer requires administrator privileges (creating machines still requires admin, however). Operations requiring elevated privileges will prompt for administrator access. Please note that this only works with newly-created VMs. - The
podman pod inspectcommand now prints arrays in its output in deterministic order. - The
podman machine os applycommand has been updated, and now usesbootc switchto apply changes. All transports supported bybootc switchcan be used for the new image to apply. - An experimental feature has been added where, on systems using Kernel 6.18 and newer, rootless Podman will no longer need to create a pause process to hold open the rootless user namespace, instead using an
nsfsfile handle. This behavior is currently gated behind an environment variable,drop-pause-process, being set. - Containers created with
--net=hostwill now use127.0.0.1for theirhost.containers.internaladdress, instead of a public IP of the machine (#27823). - Containers in multiple networks now have these networks configured in a deterministic order based on the order they were passed on the command line.
- When building an image with process substitution, such as
podman build -f <(<<<"FROM scratch"), an empty temporary directory is now used as the context directory (#28113). - In Podman versions 5.x and under, image IDs (for both OCI and Docker v2s2 images) were always equal to the SHA256 digest of the image's config data. A future version of Podman will add support for non-SHA256 digests, and image ID format will change for images that are not using the SHA256 digest. The exact format of the new IDs has not yet been decided, but the assumption that image IDs are valid hashes will no longer be true in future Podman versions.
Bugfixes
- Fixed a bug where creating a Quadlet from a templated
.containerfile that was part of a pod would incorrectly add a dependency on the template used for the container to the pod (#27844). - Fixed a bug where Quadlet
.podfiles would unconditionally setRestart=on-failureeven when the user specified an alternative restart policy (#28081). - Fixed a bug where starting a
podman machineVM on Windows using thehypervprovider would fail if the machine failed to start on first boot (#27930). - Fixed a bug where
podman machine initandpodman machine setallowed creating VMs with more CPUs than were available on the host, creating VMs that could not be started (#28322). - Fixed a bug where artifact volumes only checked the validity of the artifact when the container was started, allowing containers to be created that referenced artifacts which did not exist and thus could never be started (#27747).
- Fixed a bug where containers with environment secrets could lose the value of the secret after a restart under some circumstances (#28075).
- Fixed a bug where the
podman container restore --publishcommand would silently ignore the--publishoption instead of erroring when used without the--importoption or a checkpoint image. - Fixed a bug where running nested rootless Podman containers on Windows using the
wslprovider was not possible (#27411). - Fixed a bug where the
podman container clonecommand would fail with containers created with environment secrets (--secret type=env,...) (#28130). - Fixed a bug where creating a container with the
tag=log option (--log-opt tag=mytag) was allowed when a log driver other thanjournaldwas selected. - Fixed a bug where the output of
--helpwith some commands was incorrectly formatted (#28178). - Fixed a bug where containers in pods with multiple volume mounts could have mount options from one volume mount leak to other mounts.
- Fixed a bug where the remote Podman client's
podman versioncommand would error if the server could not be connected to (e.g. thepodman machineVM was shut down). In this case, client version is now printed (#28222). - Fixed a bug where rootless Podman would display errors and refuse to launch if the pause process was killed and its PID recycled to another process (#28157).
- Fixed a bug where running
podman kube generateon a container including volumes with.characters in their names produced invalid YAML (#27620). - Fixed a bug where patterns in
.containerignoreand.dockerignorefiles that began or ended with slashes were silently ignored during remote builds (#25458). - Fixed a bug where healthchecks on containers created using the
--transient-storeoption would fail (#28483). - Fixed a bug where the
podman generate speccommand would panic when run on a pod with no infra container (#21609). - Fixed a bug where the
podman container inspectcommand could HTML-escape certain characters in its output (#28560). - Fixed a bug where pods with entries added to
/etc/hostscontaining multiple containers would incorrectly remove entries from/etc/hostsfor all containers in the pod when any container stopped. - Fixed a bug where hosts without
/dev/mqueuecould be unable to start containers as Podman attempted to add the device unconditionally. - Fixed a bug where inspecting networks without a gateway set would show the gateway as
<nil>instead of the showing nothing (#28705). - Fixed a bug where creating a container or pod with port mappings including duplicated host ports was allowed, when this configuration could never be started due to the port conflict.
- Fixed a bug where the remote Podman client was unable to connect to any host with a custom
HostNamein the user's SSH config (#25067). - Fixed a bug where the
podman inspect --type=allcommand would, when attempting to inspect multiple networks, output only one of the networks multiple times. - Fixed a bug where Quadlet
.containerfiles using thehttp_proxy=truesetting did not properly escape special characters in the environment variables added to the container when creating the systemd unit file (#28698). - Fixed a bug where containers created using the remote Podman client ignored the
log_pathsetting incontainers.conf(#28792). - Fixed a bug where the remote Podman client's
podman savecommand would fail on Linux when using the-f oci-diror-f docker-dirarguments. - Fixed a bug where
podman machineVMs on Linux would fail to mount the directories under a symlinked path into the VM (#28911). - Fixed a bug where the
podman container checkpoint --leave-runningcommand could produce inconsistent checkpoints because the rootfs and named volume diffs were performed after the processes were allowed to run for a time; the container is now paused until the checkpoint is fully complete. - Fixed a bug where the
podman kube playcommand would incorrectly set memory limits if the user specified the limit as a fractical BinarySI quantity (e.g.1.5Gi) (#28789).
API
- An improvement pass has been made over API documentation to document fields which were missing documentation. Look forward to more API documentation improvements in future releases!
- The supported Docker Compatible API version has been bumped to v1.44.
- All API requests that accept JSON body parameters will no longer error if an empty body is provided.
- The Compat List endpoint for Containers now includes a new field in its output,
Health, providing information on the status of the container's healthcheck (#27786). - Added a new API,
POST /libpod/local/artifacts/add, for loading artifacts from the local system (not requiring transmission of a tarball). - The
POST /libpod/local/imagesendpoint for loading images from the local system now requires that thepathquery parameter is an absolute path, not a relative path. - The Libpod Pull endpoint for Images can now report pull progress when the
pullProgressquery parameter is set totrue. - The Libpod Pull endpoint for Images now returns error status codes on failure to pull imges, instead of always returning HTTP 200.
- Fixed a bug where the
subpathoption for volumes when creating containers was ignored (#27171). - Fixed a bug where the Libpod Create endpoint for Containers ignored the
OCIRuntimefield. - Fixed a bug where the Compat Create endpoint for Containers returned a 500 (not a 409) when attempting to create a container with a name that was already in use.
- Fixed a bug where the Compat Create endpoint for Containers incorrectly handled CDI-qualified entries in
HostConfig.Devices, greatly improving the reliability of CDI devices when using the Compat API. - Fixed a bug where the Compat Info endpoint did not return the location of the Seccomp profile if a non-default profile was in use (#28379).
- Fixed a bug where the Compat List endpoint for Containers could return an invalid string for container status (#28359).
- Fixed a bug where the Compat List endpoint for Containers did not include the
HostConfigfield in its responses. - Fixed a bug where the Compat Wait endpoint for Containers would hang indefinitely when waiting for the
next-exitcondition (#28514). - Fixed a bug where the Compat and Libpod Update endpoints for Containers would clear the rlimits of the container if they were not explicitly set in the API request.
- Fixed a bug where the Compat Push endpoint for Images did not return a final JSON object including tag, digest, and size of the pushed image, as Docker does.
Misc
- Autocomplete has been enabled for inspecting artifacts with
podman inspect. - Updated Buildah to v1.44.0
- Updated the image library to v5.40.0
- Updated the storage library to v1.63.0
- Updated the common library to v0.68.0
Updating podman
Im currently running podman 4.9.3 on linux mint charcoal, im having an issue where my containers cant use my gpu because podman cant see it properly and the hook i need for it to be cleaner is apparently podman 5.x onwards, ive spent the last month getting my server working and running ning how I want it, will doing this upgrade cause any issues for my containers or should it just upgrade and work, I want to upgrade but im nervous as like I say ive spent ages getting this all working well, any tips, tricks or advice is appreciated.
Edit: think ive fixed it so far, I was trying to set up cdi hook but its striped from my podman build apparently, ive managed to set up oci hook though, fingers crossed so far so good.
Rootless Podman: dig @127.0.0.1 -p <port> to a containerized service times out, even though the port mapping shows correctly in podman ps
I'm running a containerized DNS server (BIND9 inside a Podman container) with rootless Podman, and I can't get host-to-container connectivity to work over loopback for a published port, even though everything else about the setup checks out.
Setup
bashpodman run -d --name bind-sec
-p 30053:53/tcp -p 30053:53/udp
-v /var/cache/bind-sec:/var/cache/bind
my-bind-image:latest
podman ps shows the port mapping correctly:
PORTS
0.0.0.0:30053->53/tcp, 0.0.0.0:30053->53/udp
What works
The container itself is healthy — podman logs shows BIND fully started, zones loaded, listening on port 53 internally.
Querying the container's own internal IP directly from inside the container's network namespace works fine.
ss -tlnp on the host shows something listening on 0.0.0.0:30053 (confirmed via lsof -i :30053 that it's the container's conmon/proxy process, not a stray process).
Other containers I run with the same -p pattern (e.g., a basic httpd container on port 8080) do work correctly over loopback — curl http://127.0.0.1:8080/ succeeds normally for those.
What fails
bashdig u/127.0.0.1 -p 30053 example.com
;; communications error to 127.0.0.1#30053: timed out
This fails consistently, both from the host itself and (with appropriate firewall rules in place) from other hosts on the same subnet querying :30053.
What I've tried
Confirmed firewall (nftables) rules explicitly allow the port on both iif "lo" and the regular network interface — ruled out as the cause since the same symptom persists with or without those rules.
Tried both default bridge networking and --network=slirp4netns:allow_host_loopback=true — same timeout in both modes.
Tried running the same container with sudo (rootful) instead of rootless — same timeout persists.
Confirmed no orphaned/leftover container processes are holding the port from a previous run.
My question
Why would a UDP/TCP port published via -p work fine for an HTTP container (httpd on 8080) but consistently time out for a DNS container on a different port, using the identical -p host:container syntax and the same Podman version/host? Is there something DNS/UDP-specific about rootless Podman's port-forwarding (rootlessport) that behaves differently from a simple TCP HTTP service, even when both are nominally "just a published port"?
Environment
Ubuntu 24.04 LTS
Podman (rootless, default config)
nftables firewall (rules confirmed not to be the blocker)
userns=auto container inside VM with VirtioFS datasets
I'm trying to get my head around the best approach to have my rootful containers setup with userns=auto inside a VM with the necessary ZFS datasets that live on the Proxmox host passed into the VM via VirtioFS.
Let's say I have two datasets on the proxmox host: media (0:2200) and svc (0:2100). Both passed into the VM via VirtioFS and mounted at /srv/media and /srv/svc.
And let's take Jellyfin as an example for a container where the two volumes are mapped /srv/media:/media:ro and /srv/svc/jellyfin:config
With userns=auto set what are my best options? From some research I'm seeing two options but maybe someone with more indepth knowledge could weigh in.
Option 1:userns=auto:gidmapping=0:2100:1,gidmapping=2200:2200:1
or make it a bit easier and give let's say user 2000 on the proxmox host ownership of both datasets so it would look something like this:userns=auto:uidmapping=0:2000:1,gidmapping=0:2000:1
Option 2:
first add to /etc/subgidcontainers:2147483647:2147483648containers:2100:1containers:2200:1
then in the quadlet add:[Container]UserNS=autoPodmanArgs=--gidmap=+g2100:@2100 --gidmap=+g2200:@2200GroupAdd=2100GroupAdd=2200
is one of those approaches sound or am I missing something? Or do the pros here have a better way to do what I want?