Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32715

[RHEL EPIC] Update Container Tools Package Ecosystem for 10.0Beta GA

    • [RHEL EPIC] Update Container Tools Package Ecosystem for 10.0Beta GA
    • Hide

      The following needs to be verified in order for this epic to be considered complete:

      • Verify X
      • Verify Y
      • Verify Z
      Show
      The following needs to be verified in order for this epic to be considered complete: Verify X Verify Y Verify Z
    • Red Hat Enterprise Linux
    • rhel-sst-container-tools
    • 26
    • 5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • QE ack, Dev ack, Docs ack, PXE ack
    • Enhancement
    • Hide
      .The Container Tools packages have been updated

      The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, `crun`, and `runc` tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

      * The `podman manifest add` command now supports a new `--artifact` option to add OCI artifacts to a manifest list.
      * The `podman create`, `podman run`, and `podman push` commands now support the `--retry` and `--retry-delay` options to configure retries for pushing and pulling images.
      * The `podman run` and `podman exec` commands now support the `--preserve-fd` option to pass a list of file descriptors into the container. It is an alternative to `--preserve-fds`, which passes a specific number of file descriptors.
      * Quadlet now supports templated units.
      * The `podman kube play` command can now create image-based volumes by using the `volume.podman.io/image` annotation.
      * Containers created with the `podman kube play` command can now include volumes from other containers by using a new annotation, `io.podman.annotations.volumes-from`.
      * Pods created with the `podman kube play` command can now set user namespace options by using the `io.podman.annotations.userns annotation` in the pod definition.
      * The `--gpus` option to `podman create` and `podman run` is now compatible with Nvidia GPUs.
      * The `--mount` option to `podman create` and `podman run` supports a new mount option, `no-dereference`, to mount a symlink instead of its dereferenced target into a container.
      * Podman now supports the new `--config` global option to point to a Docker configuration where registry login credentials can be sourced.
      * The `podman ps --format` command now supports the new `.Label` format specifier.
      * The `uidmapping` and `gidmapping` options to the `podman run --userns=auto` option can now map to host IDs by prefixing host IDs with the `@` symbol.
      * Quadlet now supports systemd-style drop-in directories.
      * Quadlet now supports creating pods by using the new `.pod` unit files.
      * Quadlet now supports two new keys, `Entrypoint` and `StopTimeout`, in `.container` files.
      * Quadlet now supports specifying the `Ulimit` key multiple times in `.container` files to set more than one `ulimit` on a container.
      * Quadlet now supports setting the `Notify` key to `healthy` in `.container` files, to only notify that a container has started when its health check begins passing.
      * The output of the `podman inspect` command for containers has changed. The `Entrypoint` field changes from a string to an array of strings and `StopSignal` from an integer to a string.
      * The `podman inspect` command for containers now returns nil for health checks when inspecting containers without health checks.
      * It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
      * Support for CNI networking is gated by a build tag and is not enabled by default.
      * Podman now prints warnings when used on `cgroups v1` systems. Support for `cgroups v1` is deprecated and will be removed in a future release. You can set the `PODMAN_IGNORE_CGROUPSV1_WARNING` environment variable to suppress warnings.
      * Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
      * The default tool for rootless networking has been changed from `slirp4netns` to `pasta` for improved performance. As a result, networks named `pasta` are no longer supported.
      * Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
      * The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:
      ** The `--annotation` option to `podman manifest annotate` and `podman manifest add`
      ** The `--configmap`, `--log-opt`, and `--annotation` options to `podman kube play`
      * The `--pubkeysfile` option to `podman image trust set`
      ** The `--encryption-key` and `--decryption-key` options to `podman create`, `podman run`, `podman push` and `podman pull`
      ** The `--env-file` option to `podman exec`, the `--bkio-weight-device`, `--device-read-bps`, `--device-write-bps`, `--device-read-iops`, `--device-write-iops`, `--device`, `--label-file`, `--chrootdirs`, `--log-opt`, `--env-file` options to `podman create` and `podman run`
      ** The `--hooks-dir` and `--module` global options
      * The `podman system reset` command no longer waits for running containers to stop, and instead immediately sends the `SIGKILL` signal.
      * The `podman network inspect` command now includes running containers that use the network in its output.
      * The `podman compose` command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A)..
      * The `--no-trunc` option to the `podman kube play` and `podman kube generate` commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option.
      * Connections from the `podman system connection` command and farms from the `podman farm` command are now written to a new configuration file called `podman-connections.conf` file. As a result, Podman no longer writes to the `containers.conf` file. Podman still respects existing connections from `containers.conf`.
      * Most `podman farm` subcommands no longer need to connect to the machines in the farm to run.
      * The `podman create` and `podman run` commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific.
      * A new API endpoint, `/libpod/images/$name/resolve`, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.

      For more information about notable changes, see link:https://github.com/containers/podman/blob/main/RELEASE_NOTES.md#500[upstream release notes].
      Show
      .The Container Tools packages have been updated The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, `crun`, and `runc` tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version: * The `podman manifest add` command now supports a new `--artifact` option to add OCI artifacts to a manifest list. * The `podman create`, `podman run`, and `podman push` commands now support the `--retry` and `--retry-delay` options to configure retries for pushing and pulling images. * The `podman run` and `podman exec` commands now support the `--preserve-fd` option to pass a list of file descriptors into the container. It is an alternative to `--preserve-fds`, which passes a specific number of file descriptors. * Quadlet now supports templated units. * The `podman kube play` command can now create image-based volumes by using the `volume.podman.io/image` annotation. * Containers created with the `podman kube play` command can now include volumes from other containers by using a new annotation, `io.podman.annotations.volumes-from`. * Pods created with the `podman kube play` command can now set user namespace options by using the `io.podman.annotations.userns annotation` in the pod definition. * The `--gpus` option to `podman create` and `podman run` is now compatible with Nvidia GPUs. * The `--mount` option to `podman create` and `podman run` supports a new mount option, `no-dereference`, to mount a symlink instead of its dereferenced target into a container. * Podman now supports the new `--config` global option to point to a Docker configuration where registry login credentials can be sourced. * The `podman ps --format` command now supports the new `.Label` format specifier. * The `uidmapping` and `gidmapping` options to the `podman run --userns=auto` option can now map to host IDs by prefixing host IDs with the `@` symbol. * Quadlet now supports systemd-style drop-in directories. * Quadlet now supports creating pods by using the new `.pod` unit files. * Quadlet now supports two new keys, `Entrypoint` and `StopTimeout`, in `.container` files. * Quadlet now supports specifying the `Ulimit` key multiple times in `.container` files to set more than one `ulimit` on a container. * Quadlet now supports setting the `Notify` key to `healthy` in `.container` files, to only notify that a container has started when its health check begins passing. * The output of the `podman inspect` command for containers has changed. The `Entrypoint` field changes from a string to an array of strings and `StopSignal` from an integer to a string. * The `podman inspect` command for containers now returns nil for health checks when inspecting containers without health checks. * It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable. * Support for CNI networking is gated by a build tag and is not enabled by default. * Podman now prints warnings when used on `cgroups v1` systems. Support for `cgroups v1` is deprecated and will be removed in a future release. You can set the `PODMAN_IGNORE_CGROUPSV1_WARNING` environment variable to suppress warnings. * Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility. * The default tool for rootless networking has been changed from `slirp4netns` to `pasta` for improved performance. As a result, networks named `pasta` are no longer supported. * Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility. * The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are: ** The `--annotation` option to `podman manifest annotate` and `podman manifest add` ** The `--configmap`, `--log-opt`, and `--annotation` options to `podman kube play` * The `--pubkeysfile` option to `podman image trust set` ** The `--encryption-key` and `--decryption-key` options to `podman create`, `podman run`, `podman push` and `podman pull` ** The `--env-file` option to `podman exec`, the `--bkio-weight-device`, `--device-read-bps`, `--device-write-bps`, `--device-read-iops`, `--device-write-iops`, `--device`, `--label-file`, `--chrootdirs`, `--log-opt`, `--env-file` options to `podman create` and `podman run` ** The `--hooks-dir` and `--module` global options * The `podman system reset` command no longer waits for running containers to stop, and instead immediately sends the `SIGKILL` signal. * The `podman network inspect` command now includes running containers that use the network in its output. * The `podman compose` command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A).. * The `--no-trunc` option to the `podman kube play` and `podman kube generate` commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option. * Connections from the `podman system connection` command and farms from the `podman farm` command are now written to a new configuration file called `podman-connections.conf` file. As a result, Podman no longer writes to the `containers.conf` file. Podman still respects existing connections from `containers.conf`. * Most `podman farm` subcommands no longer need to connect to the machines in the farm to run. * The `podman create` and `podman run` commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific. * A new API endpoint, `/libpod/images/$name/resolve`, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image. For more information about notable changes, see link: https://github.com/containers/podman/blob/main/RELEASE_NOTES.md#500 [upstream release notes].
    • Done

      Description

      SME: Jindrich Novy

      This epic will be used to track the final packaging of all the container tools that are going into RHEL 9.5.  It will also be used to track the final testing for the container tools before release.

      Epic Overview

      This feature will provide customers with easy access to the latest versions of podman, buildah, and skopeo. This will provide developers and fast moving operations teams access to the latest tools on a stable platform of RHEL. 

      Goals

      Provide users with the latest versions of Podman/Buildah/Skopeo. Speed should be prioritized over stability. This meets the same use case that we tackled in RHEL 8 and RHEL 9. See more:

      Requirements

      A list of specific needs or objectives that a Feature must deliver to satisfy the Feature.. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts.  If a non MVP requirement slips, it does not shift the feature.

      requirement Notes isMvp?
      RHEL 10.0 Beta GA: Release container-tools meta-package This fast moving application stream should be the default in RHEL. In RHEL 10, this should be a meta-package instead of a module.  Yes
      RHEL 10.0 Beta GA:  All of these packages should be updated to match what Fedora is using:
       
      podman
      podman-docker
      podman-plugins
      podman-remote
      podman-tests
      buildah
      skopeo
      skopeo-tests
      runc
      crun
      netavark
      aardvark-dns
      conmon
      container-selinux
      slirp4netns
      libslirp
      libslipr-devel
      oci-systemd-hook
      oci-seccomp-bpf-hook
      oci-umount
      containernetworking-plugins
      containers-common
      fuse-overlayfs
      crit (CRIU Image Tool, Adrian Reber)
      toolbox (Debarshi Ray, Oliver Guttierez)
      udica (Lukas Vrabek)
      python3-criu (Adrian Reber)
      python-podman
      cockpit-podman (Martin Pitt)
       We want to rely on the user testing done in Fedora, so as much as possible we want to use the exact same versions of each of these packages. We want the exact same versions in the exact same permutation as what has been tested upstream. Small changes in versions can be made as necessary, but this should be the exception rather than the rule.  Yes
      RHEL 10.0 Beta GA: Write launch blog & release notes Explain that the API to Podman/Buildha/Skopeo are targeted and tested to be the same as RHEL 8 and RHEL 9, but with a major OS upgrade below the covers, performance, security, and even lower level libraries might change. Also, we should have release notes   Yes
      RHEL 10.0 Beta GA: Update docs replacing any reference to modularity We most convert any commands which reference modularity. Focus on the use of the words Application Stream instead of Module. Yes
      RHEL 10.0 Beta GA: Updated marketing material discussing application stream. The more I think about this, as long as we focus on discussing "the container tools application stream" this technology should be a speed bump. Yes
      RHEL 10.0 Beta GA: update support docs to determine how we will discuss the support life cycle of this application stream Kyle Walker and Derrick Ornelas will need to be involved in determining how the support life cycle of a rolling stream like container-tools is communicated to customers, especially in the customer portal. Yes
      RHEL 10.0 Beta GA: QE will need to update any tests which use modularity to install container-tools David Darrah, this will likely include things like:
      • Removing tests for stable streams
      • Changing tests which use modularity
      • Adding tests for EUS
      • Adding tests for the meta-package
       

       
       
      Install latest container-tools:

      [root@rhel-beta ~]# yum install container-tools

       

      The user should something like below for podman, buildah, and skopeo:

      [root@rhel ~]# podman version
      Version: 4.0+
      RemoteAPI Version: 2

      ...
       

      Run the podman, buildah or skopeo:

      [root@rhel ~]# podman run -it ubi9 bash
      [root@0aaddfba5fb2 /]#

       

      Background, and strategic fit

      This is convenient for developers testing and building on RHEL systems, especially those moving from docker to podman. Updating container-tools every 12 weeks will give developers the confidence that RHEL can move fast, while giving operations the piece of mind they need with the stable stream (which will stay the same). This will be an update of major tools in the container-tools: fast stream. 

      Podman and its dependencies are delivered in two AppStreams in RHEL - one fast stream updated up to four times per year and multiple stable streams released once a year. The feature hungry user can get access to the latest tools, while the stability seeking production user can install once, and defer to Red Hat to worry about security updates: 

      Assumptions

      • Developers will install the container-tools:latest fast moving stream
      • Developers and people seeking features will trade stability for speed

      Customer Considerations

      Developers need access to the latest Podman features to justify moving away from Docker CE/EE will benefit from this packaging in RHEL 8+.

      In the early RHEL 7 era, users had quick access to the latest versions of Docker. In the later era of RHEL 7, the docker package was basically frozen. Customers have slowly migrated to podman, but with RHEL 8 and now RHEL 9, there is a new opportunity to provide new value.

      Documentation Considerations

      Update the Containers Guide for RHEL 8 should be updated to include any major or moderate new features of podman, buildah and skopeo: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/index

      Success looks like:

      1. Docs will capture any noteworthy features from upstream (Derrick and David Darrah)
      1. QE testing any noteworthy features which are documented (David Darrah) 

      Questions

      Question Outcome
      What version of podman, buildah, and skopeo? Depends on what's stable in Fedora at the time of packaging
      What versions of CRIU and Udica Determined by those respective subsystem teams
      Can the LEAP team make upgrades work with this plan? Scott to reach out to them and ask them to look at this feature.

      Action items

      •  

       

              container-runtime-eng Container Runtime Eng Bot
              tsweeney@redhat.com Tom Sweeney
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Gabriela Necasova Gabriela Necasova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: