v5.8.2

Security

• This release addresses CVE-2026-33414, where the podman machine init --image command when run on Windows using the Hyper-V backend can run Powershell-escaped commands from the user-specified image path on in a Powershell session on the host (GHSA-hc8w-h2mf-hp59).

Bugfixes

• Fixed a bug where containers with the unless-stopped restart policy would not restart after a reboot when podman-restart.service was enabled (#28152).
• Fixed a bug where setting Entrypoint="" in a Quadlet .container file did not clear the container's entrypoint (#28213).
• Fixed a bug where setting a HealthCmd in a Quadlet .container file to a command that included double-quotes (") would result in a nonfunctional healthcheck due to a parsing issue (#28409).
• Fixed a bug where FreeBSD systems could panic when inspecting containers created with the host network mode (#28289).

API

• Fixed a bug where the Libpod System Check endpoint could perform operations with bad data after returning a 400 error (#28350).
• Fixed a bug where the remote attach API for containers (Libpod & Compat) could panic due to a rare race condition (#28277).
• Fixed a bug where the Secret Create API could not create functional secrets using the shell driver due to options from the default driver being improperly added.

Misc

• Updated Buildah to v1.43.1
• Updated the containers/common library to v0.67.1
• Updated the containers/image library to v5.39.2

v5.8.1

Bugfixes

• Fixed a critical bug where automatic migration from BoltDB to SQLite after a reboot could perform a partial migration, with some containers in SQLite and some remaining in BoltDB, when Quadlets were in use (#28215). For those who encountered this bug with 5.8.0 there is no way to automatically recover. If you do not have persistent containers/pods/volumes (i.e. all containers are run using Quadlets) then the easiest option is to move the db.sql file in Podman's storage directory to db.sql.bak (or similar) and reboot again with v5.8.1 to attempt another migration. Please contact the maintainers with any issues during migration and we will assist as able.

v5.8.0

Features

• The podman quadlet install command can now install files which contain multiple separate Quadlet files. The files must be separated with a --- delimeter on a new line, and each section must begin with a # FileName=<name> line to name the new Quadlet (#27384).
• Quadlet .container files now support a new key, AppArmor, for configuring the container's AppArmor profile (#27095).
• When running the podman artifact add command against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• The podman update command now features a new option, --ulimit, to update container ulimits (#26381).
• The podman exec command now features a new option, --no-session, which disables tracking of the exec session to improve performance and startup time (#26588).

Changes

• Podman will now automatically attempt to migrate legacy BoltDB databases to SQLite when the system reboots. This is necessary as support for BoltDB will be removed in Podman 6.0 in May. If automatic migration is not possible, a new option, podman system migrate --migrate-db, will manually force a migration.
• The podman secret create - command no longer requires that the secret be provided through a pipe, and instead allows typing the secret through the terminal (#27879).

Bugfixes

• Fixed a bug where containers created by podman play kube with a healthcheck using the initialDelaySeconds option would run healthchecks before the initial delay had expired (#27678).
• Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits.
• Fixed a bug where the podman export command would emit a Mount event instead of an Export event.
• Fixed a bug where the podman kube play command incorrectly handled precedence between environment variables set by both the envFrom and env fields (#27287).
• Fixed a bug where the podman kube play command would panic when parsing Pod YAML missing the image field (#27784).
• Fixed a bug where the podman volume mount command returned empty paths when volumes were handled by a plugin driver (#27858).
• Fixed a bug where containers created with --rootfs instead of from an image would show that they had a healthcheck in the starting state even if no healthcheck was defined (#27651).
• Fixed a bug where the podman build command's --pull=newer option did not function correctly (#22845).
• Fixed a bug where the RequiresMountsFor field in Quadlet .container files incorrectly handled bind-mount paths which contained spaces.
• Fixed a bug where the remote Podman client's podman run --detach-keys option did not accept an empty string (IE, no detach keys) (#27414).
• Fixed a bug where the remove Podman client's podman build --secret ... env=VAR option would incorrectly try to read the environment variable on the server side, instead of from the client (#27494).
• Fixed a bug where the podman artifact push and podman artifact pull commands ignored authentication credentials given by the --authfile option (#27421).
• Fixed a bug where Windows paths were incorrectly handled under some circumstances when using the HyperV machine provider (#27571).
• Fixed a bug where the podman run --pod-id-file option was not properly validated, allowing the creation of containers in pods with improper user namespace configuration (#26848).

API

• Added new APIs for interacting with Quadlets, including GET /libpod/quadlets/{name}/file (print contents of a Quadlet file), GET /libpod/quadlets/{name}/exists (check if the given Quadlet exists), POST /libpod/quadlets (install one or more Quadlets), DELETE /libpod/quadlets (remove one or more Quadlets), and DELETE /libpod/quadlets/{name} (remove a single Quadlet).
• Fixed a bug where the Compat and Libpod Logs endpoints for Containers did not use nanosecond-level precision for reported timestamps (#27961).
• Fixed a bug where the Compat Create endpoint for Containers incorrectly handled healthcheck commands with arguments containing spaces (#26519).
• Fixed a bug where the Compat Remove endpoint for Secrets was misnamed as DELETE /secret/{name} instead of DELETE /secrets/{name} (#27548).

Misc

• Updated Buildah to v1.43.0
• Updated the containers/storage library v1.62.0
• Updated the containers/image library to v5.39.1
• Updated the containers/common library to v0.67.0

v5.8.0-RC1

Features

• The podman quadlet install command can now install files which contain multiple separate Quadlet files. The files must be separated with a --- delimeter on a new line, and each section must begin with a # FileName=<name> line to name the new Quadlet (#27384).
• Quadlet .container files now support a new key, AppArmor, for configuring the container's AppArmor profile (#27095).
• When running the podman artifact add command against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• The podman update command now features a new option, --ulimit, to update container ulimits (#26381).
• The podman exec command now features a new option, --no-session, which disables tracking of the exec session to improve performance and startup time (#26588).

Changes

• The podman secret create - command no longer requires that the secret be provided through a pipe, and instead allows typing the secret through the terminal (#27879).

Bugfixes

• Fixed a bug where containers created by podman play kube with a healthcheck using the initialDelaySeconds option would run healthchecks before the initial delay had expired (#27678).
• Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits.
• Fixed a bug where the podman export command would emit a Mount event instead of an Export event.
• Fixed a bug where the podman kube play command incorrectly handled precedence between environment variables set by both the envFrom and env fields (#27287).
• Fixed a bug where the podman kube play command would panic when parsing Pod YAML missing the image field (#27784).
• Fixed a bug where the podman volume mount command returned empty paths when volumes were handled by a plugin driver (#27858).
• Fixed a bug where containers created with --rootfs instead of from an image would show that they had a healthcheck in the starting state even if no healthcheck was defined (#27651).
• Fixed a bug where the podman build command's --pull=newer option did not function correctly (#22845).
• Fixed a bug where the RequiresMountsFor field in Quadlet .container files incorrectly handled bind-mount paths which contained spaces.
• Fixed a bug where the remote Podman client's podman run --detach-keys option did not accept an empty string (IE, no detach keys) (#27414).
• Fixed a bug where the remove Podman client's podman build --secret ... env=VAR option would incorrectly try to read the environment variable on the server side, instead of from the client (#27494).
• Fixed a bug where the podman artifact push and podman artifact pull commands ignored authentication credentials given by the --authfile option (#27421).
• Fixed a bug where Windows paths were incorrectly handled under some circumstances when using the HyperV machine provider (#27571).
• Fixed a bug where the podman run --pod-id-file option was not properly validated, allowing the creation of containers in pods with improper user namespace configuration (#26848).

API

• Added new APIs for interacting with Quadlets, including GET /libpod/quadlets/{name}/file (print contents of a Quadlet file), GET /libpod/quadlets/{name}/exists (check if the given Quadlet exists), POST /libpod/quadlets (install one or more Quadlets), DELETE /libpod/quadlets (remove one or more Quadlets), and DELETE /libpod/quadlets/{name} (remove a single Quadlet).
• Fixed a bug where the Compat and Libpod Logs endpoints for Containers did not use nanosecond-level precision for reported timestamps (#27961).
• Fixed a bug where the Compat Create endpoint for Containers incorrectly handled healthcheck commands with arguments containing spaces (#26519).
• Fixed a bug where the Compat Remove endpoint for Secrets was misnamed as DELETE /secret/{name} instead of DELETE /secrets/{name} (#27548).

v5.7.1

Bugfixes

• Fixed a bug where adding devices to emulated Linux containers on FreeBSD did not work.
• Fixed a bug where the podman system migrate command could panic under certain circumstances when run rootless.
• Fixed a bug where Podman would sometimes not correctly recreate the rootless user namespace when Conmon and the rootless pause process were unexpectedly killed.
• Fixed a bug where the podman kube play command could leak file descriptors.

Misc

• Updated Buildah to v1.42.2
• Updated containers/common to v0.66.1

v5.7.0

Security

• This release addresses CVE-2025-52881, where arbitrary write gadgets and procfs write redirects allowed runc container escape and denial of service.

Features

• The remote Podman client and podman system service API server now support encrypting connections with TLS and mTLS, including client authentication by certificate (#24583).
• The podman system connection add command can now create connections to TCP sockets with TLS and mTLS encryption.
• The podman run and podman create commands now support two new options, --creds and --cert-dir, to manage logging into registries to pull images.
• The podman kube play and podman kube down commands can now accept multiple files as input, creating or removing more than one pod or deployment with the same command (#26274).
• The podman kube play command now supports a new option, --no-pod-prefix, to disable prefixing container names with pod names. Please note that this can cause pods to fail to create if the pod shares a name with a container (#26396).
• The podman machine init command now supports a new option, --tls-verify, to control whether the machine image can be pulled from registries without a trusted TLS certificate, with the default being true (TLS verification on) (#26517).
• When running the podman image load and podman build commands against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• A default location for container log files when using the k8s-file log driver can now be specified with the log_path option in containers.conf.
• Default flags for the OCI runtime can now be set with the runtimes_flags option in containers.conf.
• The podman artifact remove command can now accept multiple arguments, for example, podman artifact rm artifact1 artifact2.
• The podman wait command now supports a new option, --return-on-first, which causes podman wait to return after any container matches the condition, as opposed to waiting for all containers to match (#26691).
• The podman container restore command now supports a new option, --tcp-close, allowing containers with active TCP connections to be restored multiple times.
• Quadlet now features support for a new file type, .artifact, allowing OCI artifacts to be managed with Quadlet (#25778).
• Quadlet .container files now support a new key, HttpProxy, to disable the automatic forwarding of HTTP proxy options from the host into the container (#26925).
• Quadlet .pod files now support a new key, StopTimeout, to configure the stop timeout for the pod (#27120).
• Quadlet .build files now support two new keys, BuildArg and IgnoreFile, to specify build arguments and an ignore file (#27065 and #27268).
• Quadlet .kube files now support multiple YAML files in a single .kube file.
• Quadlet now supports templated dependencies for volumes and networks (#25136).
• The podman quadlet install command now supports a new option, --replace, which will replace any existing Quadlet with a conflicting name (#26930).
• The podman quadlet print command now has a new alias, podman quadlet cat (#27296).
• The remote Podman client's podman artifact remove command now supports the --all option.
• The podman artifact add command now supports a new option, --replace, which will replace any existing artifact with the given name (#27082).
• The podman artifact rm command now supports a new option, --ignore, which will suppress errors when attempting to remove an artifact that does not exist (#27084).
• The podman artifact list command now includes artifact creation time in its output (#27314).
• The podman artifact list --format option now supports two new format keys, VirtualSize, returning the size of the artifact in integer bytes, and CreatedAt, returning the time the artifact was created as an RFC3339 timestamp (the existing Size and Created fields returned human-readable information) (#27085).
• The podman artifact inspect command now supports a new option, --format, to return specific information about an artifact with user-specified formatting (#27112).

Changes

• In preparation for a planned removal of the BoltDB database in Podman 6.0, a warning has been added for installations still using BoltDB. These warnings were added in Podman 5.6, but were not visible by default; they now are. They can be suppressed with the SUPPRESS_BOLTDB_WARNING=true environment variable.
• A new Windows installer has been introduced with a simpler single MSI architecture that supports both user-scope (no admin required) and machine-scope installations. Note: To use the new installer, users must uninstall existing Podman installations before using the new installer, but all containers, images, machines, and other data will be preserved. The old installer is still provided to ensure backwards compatibility, though it will be removed in a future release (#22994 and #25968).
• Podman now requires Go 1.24.
• When the -p/--publish and --network=ns:/path options are used together when creating a container, Podman will not warn that the -p option will be ignored as an existing namespace is in use (this has always been the case, but Podman now prints a warning about it) (#26663).
• The podman stats command now provides additional information about container resource utilization when run on FreeBSD.
• Shell autocompletion has been enabled for the --sysctl option to podman create and podman run, and the --interface-name option to podman network create.
• Artifacts created by Podman now include a creation timestamp by default, stored in the org.opencontainers.image.created annotation (#27081).
• The podman inspect command can now inspect artifacts.
• The podman artifact add command can now override the org.opencontainers.image.title annotation in created artifacts.
• Podman can now optionally be built with Sequoia-PGP support. When so built, the --sign-by-sq-fingerprint option allows signing images using Seqoia-PGP keys.

Bugfixes

• Fixed a bug where the --filter ancestor= option to podman ps required complete matches, unlike Docker (which matched substrings) (#26623).
• Fixed a bug where the --filter label= option to podman events did not support key-only matches (as podman os --filter label= does) (#26702).
• Fixed a bug where Quadlet could panic when a Mount was given without a source being specified.
• Fixed a bug where Quadlet would fail to generate for a .build file when a systemd specifier was used in the [Build] section (#26746).
• Fixed a bug where the podman info command could panic when /proc/sys/fs/binfmt_misc was not mounted.
• Fixed a bug where the remote Podman client could lose some initial bytes of output from attach sessions (podman run, podman exec, podman attach) due to a race condition (#26951).
• Fixed a bug where the podman build command was ignoring SBOM related options (#23915).
• Fixed a bug where the --userns=ns:/path option to podman create and podman run was broken with runc 1.1.11 and higher (#27148).
• Fixed a bug where podman machine on Windows would always re-pull machine images when using the WSL provider, even if an the image had already been pulled and was present on disk.

API

• Added a new API endpoint to list quadlets (GET /libpod/quadlets/json).
• The Compat Inspect endpoint for Images no longer includes the ContainerConfig field. To access image configuration, use the Config field instead. This matches changes made by Docker in the v1.45 API.
• Fixed a bug where the Stats and Commit endpoints for Containers (compat & libpod), the Push, Commit, Push, and Pull endpoints for Images (compat & libpod), and the Push endpoint for Manifests (libpod) were not returning a Content-Type header.

Misc

• Error messages returned when an incomplete --device option (for example --device /dev/fuse::) is passed to podman create or podman run have been improved.
• Updated Buildah to v1.42.0
• Updated the containers/image library to v5.38.0
• Updated the containers/storage library to v1.61.0
• Updated the containers/common library to v0.66.0
• The containers/image, containers/storage, and containers/common libraries are now sourced from the [containers/co...

v5.7.0-RC3

Features

• The remote Podman client and podman system service API server now support encrypting connections with TLS and mTLS, including client authentication by certificate (#24583).
• The podman system connection add command can now create connections to TCP sockets with TLS and mTLS encryption.
• The podman run and podman create commands now support two new options, --creds and --cert-dir, to manage logging into registries to pull images.
• The podman kube play and podman kube down commands can now accept multiple files as input, creating or removing more than one pod or deployment with the same command (#26274).
• The podman kube play command now supports a new option, --no-pod-prefix, to disable prefixing container names with pod names. Please note that this can cause pods to fail to create if the pod shares a name with a container (#26396).
• The podman machine init command now supports a new option, --tls-verify, to control whether the machine image can be pulled from registries without a trusted TLS certificate, with the default being true (TLS verification on) (#26517).
• When running the podman image load and podman build commands against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• A default location for container log files when using the k8s-file log driver can now be specified with the log_path option in containers.conf.
• Default flags for the OCI runtime can now be set with the runtimes_flags option in containers.conf.
• The podman artifact remove command can now accept multiple arguments, for example, podman artifact rm artifact1 artifact2.
• The podman wait command now supports a new option, --return-on-first, which causes podman wait to return after any container matches the condition, as opposed to waiting for all containers to match (#26691).
• The podman container restore command now supports a new option, --tcp-close, allowing containers with active TCP connections to be restored multiple times.
• Quadlet now features support for a new file type, .artifact, allowing OCI artifacts to be managed with Quadlet (#25778).
• Quadlet .container files now support a new key, HttpProxy, to disable the automatic forwarding of HTTP proxy options from the host into the container (#26925).
• Quadlet .pod files now support a new key, StopTimeout, to configure the stop timeout for the pod (#27120).
• Quadlet .build files now support two new keys, BuildArg and IgnoreFile, to specify build arguments and an ignore file (#27065 and #27268).
• Quadlet .kube files now support multiple YAML files in a single .kube file.
• Quadlet now supports templated dependencies for volumes and networks (#25136).
• The podman quadlet install command now supports a new option, --replace, which will replace any existing Quadlet with a conflicting name (#26930).
• The podman quadlet print command now has a new alias, podman quadlet cat (#27296).
• The remote Podman client's podman artifact remove command now supports the --all option.
• The podman artifact add command now supports a new option, --replace, which will replace any existing artifact with the given name (#27082).
• The podman artifact rm command now supports a new option, --ignore, which will suppress errors when attempting to remove an artifact that does not exist (#27084).
• The podman artifact list command now includes artifact creation time in its output (#27314).
• The podman artifact list --format option now supports two new format keys, VirtualSize, returning the size of the artifact in integer bytes, and CreatedAt, returning the time the artifact was created as an RFC3339 timestamp (the existing Size and Created fields returned human-readable information) (#27085).
• The podman artifact inspect command now supports a new option, --format, to return specific information about an artifact with user-specified formatting (#27112).

Changes

• In preparation for a planned removal of the BoltDB database in Podman 6.0, a warning has been added for installations still using BoltDB. These warnings were added in Podman 5.6, but were not visible by default; they now are. They can be suppressed with the SUPPRESS_BOLTDB_WARNING=true environment variable.
• A new Windows installer has been introduced with a simpler single MSI architecture that supports both user-scope (no admin required) and machine-scope installations. Note: To use the new installer, users must uninstall existing Podman installations before using the new installer, but all containers, images, machines, and other data will be preserved. The old installer is still provided to ensure backwards compatibility, though it will be removed in a future release (#22994 and #25968).
• Podman now requires Go 1.24.
• When the -p/--publish and --network=ns:/path options are used together when creating a container, Podman will not warn that the -p option will be ignored as an existing namespace is in use (this has always been the case, but Podman now prints a warning about it) (#26663).
• The podman stats command now provides additional information about container resource utilization when run on FreeBSD.
• Shell autocompletion has been enabled for the --sysctl option to podman create and podman run, and the --interface-name option to podman network create.
• Artifacts created by Podman now include a creation timestamp by default, stored in the org.opencontainers.image.created annotation (#27081).
• The podman inspect command can now inspect artifacts.
• The podman artifact add command can now override the org.opencontainers.image.title annotation in created artifacts.
• Podman can now optionally be built with Sequoia-PGP support. When so built, the --sign-by-sq-fingerprint option allows signing images using Seqoia-PGP keys.

Bugfixes

• Fixed a bug where the --filter ancestor= option to podman ps required complete matches, unlike Docker (which matched substrings) (#26623).
• Fixed a bug where the --filter label= option to podman events did not support key-only matches (as podman os --filter label= does) (#26702).
• Fixed a bug where Quadlet could panic when a Mount was given without a source being specified.
• Fixed a bug where Quadlet would fail to generate for a .build file when a systemd specifier was used in the [Build] section (#26746).
• Fixed a bug where the podman info command could panic when /proc/sys/fs/binfmt_misc was not mounted.
• Fixed a bug where the remote Podman client could lose some initial bytes of output from attach sessions (podman run, podman exec, podman attach) due to a race condition (#26951).
• Fixed a bug where the podman build command was ignoring SBOM related options (#23915).
• Fixed a bug where the --userns=ns:/path option to podman create and podman run was broken with runc 1.1.11 and higher (#27148).
• Fixed a bug where podman machine on Windows would always re-pull machine images when using the WSL provider, even if an the image had already been pulled and was present on disk.

API

• Added a new API endpoint to list quadlets (GET /libpod/quadlets/json).
• The Compat Inspect endpoint for Images no longer includes the ContainerConfig field. To access image configuration, use the Config field instead. This matches changes made by Docker in the v1.45 API.
• Fixed a bug where the Stats and Commit endpoints for Containers (compat & libpod), the Push, Commit, Push, and Pull endpoints for Images (compat & libpod), and the Push endpoint for Manifests (libpod) were not returning a Content-Type header.

Misc

• Error messages returned when an incomplete --device option (for example --device /dev/fuse::) is passed to podman create or podman run have been improved.
• Updated Buildah to v1.42.0
• Updated the containers/image library to v5.38.0
• Updated the containers/storage library to v1.61.0
• Updated the containers/common library to v0.66.0
• The containers/image, containers/storage, and containers/common libraries are now sourced from the containers/container-libs monorepo.

v5.7.0-RC2

Features

• The remote Podman client and podman system service API server now support encrypting connections with TLS and mTLS, including client authentication by certificate (#24583).
• The podman system connection add command can now create connections to TCP sockets with TLS and mTLS encryption.
• The podman run and podman create commands now support two new options, --creds and --cert-dir, to manage logging into registries to pull images.
• The podman kube play and podman kube down commands can now accept multiple files as input, creating or removing more than one pod or deployment with the same command (#26274).
• The podman kube play command now supports a new option, --no-pod-prefix, to disable prefixing container names with pod names. Please note that this can cause pods to fail to create if the pod shares a name with a container (#26396).
• The podman machine init command now supports a new option, --tls-verify, to control whether the machine image can be pulled from registries without a trusted TLS certificate, with the default being true (TLS verification on) (#26517).
• When running the podman image load and podman build commands against a podman machine VM, if the path being loaded or built is shared into the VM, Podman will load it from the VM's filesystem instead of streaming the data through the REST API, improving performance (#26321).
• A default location for container log files when using the k8s-file log driver can now be specified with the log_path option in containers.conf.
• Default flags for the OCI runtime can now be set with the runtimes_flags option in containers.conf.
• The podman artifact remove command can now accept multiple arguments, for example, podman artifact rm artifact1 artifact2.
• The podman wait command now supports a new option, --return-on-first, which causes podman wait to return after any container matches the condition, as opposed to waiting for all containers to match (#26691).
• The podman container restore command now supports a new option, --tcp-close, allowing containers with active TCP connections to be restored multiple times.
• Quadlet now features support for a new file type, .artifact, allowing OCI artifacts to be managed with Quadlet (#25778).
• Quadlet .container files now support a new key, HttpProxy, to disable the automatic forwarding of HTTP proxy options from the host into the container (#26925).
• Quadlet .pod files now support a new key, StopTimeout, to configure the stop timeout for the pod (#27120).
• Quadlet .build files now support two new keys, BuildArg and IgnoreFile, to specify build arguments and an ignore file (#27065 and #27268).
• Quadlet .kube files now support multiple YAML files in a single .kube file.
• Quadlet now supports templated dependencies for volumes and networks (#25136).
• The podman quadlet install command now supports a new option, --replace, which will replace any existing Quadlet with a conflicting name (#26930).
• The podman quadlet print command now has a new alias, podman quadlet cat (#27296).
• The remote Podman client's podman artifact remove command now supports the --all option.
• The podman artifact add command now supports a new option, --replace, which will replace any existing artifact with the given name (#27082).
• The podman artifact rm command now supports a new option, --ignore, which will suppress errors when attempting to remove an artifact that does not exist (#27084).
• The podman artifact list command now includes artifact creation time in its output (#27314).
• The podman artifact list --format option now supports two new format keys, VirtualSize, returning the size of the artifact in integer bytes, and CreatedAt, returning the time the artifact was created as an RFC3339 timestamp (the existing Size and Created fields returned human-readable information) (#27085).
• The podman artifact inspect command now supports a new option, --format, to return specific information about an artifact with user-specified formatting (#27112).

Changes

• In preparation for a planned removal of the BoltDB database in Podman 6.0, a warning has been added for installations still using BoltDB. These warnings were added in Podman 5.6, but were not visible by default; they now are. They can be suppressed with the SUPPRESS_BOLTDB_WARNING=true environment variable.
• A new Windows installer has been introduced with a simpler single MSI architecture that supports both user-scope (no admin required) and machine-scope installations. Note: To use the new installer, users must uninstall existing Podman installations before using the new installer, but all containers, images, machines, and other data will be preserved. The old installer is still provided to ensure backwards compatibility, though it will be removed in a future release (#22994 and #25968).
• Podman now requires Go 1.24.
• When the -p/--publish and --network=ns:/path options are used together when creating a container, Podman will not warn that the -p option will be ignored as an existing namespace is in use (this has always been the case, but Podman now prints a warning about it) (#26663).
• The podman stats command now provides additional information about container resource utilization when run on FreeBSD.
• Shell autocompletion has been enabled for the --sysctl option to podman create and podman run, and the --interface-name option to podman network create.
• Artifacts created by Podman now include a creation timestamp by default, stored in the org.opencontainers.image.created annotation (#27081).
• The podman inspect command can now inspect artifacts.
• The podman artifact add command can now override the org.opencontainers.image.title annotation in created artifacts.
• Podman can now optionally be built with Sequoia-PGP support. When so built, the --sign-by-sq-fingerprint option allows signing images using Seqoia-PGP keys.

Bugfixes

• Fixed a bug where the --filter ancestor= option to podman ps required complete matches, unlike Docker (which matched substrings) (#26623).
• Fixed a bug where the --filter label= option to podman events did not support key-only matches (as podman os --filter label= does) (#26702).
• Fixed a bug where Quadlet could panic when a Mount was given without a source being specified.
• Fixed a bug where Quadlet would fail to generate for a .build file when a systemd specifier was used in the [Build] section (#26746).
• Fixed a bug where the podman info command could panic when /proc/sys/fs/binfmt_misc was not mounted.
• Fixed a bug where the remote Podman client could lose some initial bytes of output from attach sessions (podman run, podman exec, podman attach) due to a race condition (#26951).
• Fixed a bug where the podman build command was ignoring SBOM related options (#23915).
• Fixed a bug where the --userns=ns:/path option to podman create and podman run was broken with runc 1.1.11 and higher (#27148).

API

• Added a new API endpoint to list quadlets (GET /libpod/quadlets/json).
• The Compat Inspect endpoint for Images no longer includes the ContainerConfig field. To access image configuration, use the Config field instead. This matches changes made by Docker in the v1.45 API.
• Fixed a bug where the Stats and Commit endpoints for Containers (compat & libpod), the Push, Commit, Push, and Pull endpoints for Images (compat & libpod), and the Push endpoint for Manifests (libpod) were not returning a Content-Type header.

Misc

• Error messages returned when an incomplete --device option (for example --device /dev/fuse::) is passed to podman create or podman run have been improved.
• Updated Buildah to v1.42.0
• Updated the containers/image library to v5.38.0
• Updated the containers/storage library to v1.61.0
• Updated the containers/common library to v0.66.0
• The containers/image, containers/storage, and containers/common libraries are now sourced from the containers/container-libs monorepo.

v5.6.2

Bugfixes

• Fixed a bug where stopping the podman machine start command with SIGPIPE could result in machine state being stuck as "Starting" (#26949).
• Fixed a bug where podman build would fail with a permissions error when building Containerfiles using a non-root user and cache mounts (#27044).

Misc

• Updated Buildah to v1.41.5

v5.6.1

Security

• This release addresses CVE-2025-9566, where Kubernetes YAML run by podman play kube containing ConfigMap and Secret volumes can use crafted symlinks to overwrite content on the host.

Bugfixes

• Fixed a bug where network creation and removal events were displayed incorrectly when the journald events driver was in use.
• Fixed a bug where the --security-opt seccomp=unconfined option was broken on Windows (#26855).
• Fixed a bug where containers created with a name longer than 64 characters, no explicit hostname, the the container_name_as_hostname option in containers.conf set to true would fail to start.
• Fixed a bug where Podman would fail to start containers when runc 1.3.0 or later was used as the OCI runtime (#26938).

Misc

• Adjusted the systemd-tmpfiles script to recursively remove temporary files directories placed in /tmp, ensuring proper operation of Podman after a reboot if /tmp is not a tmpfs.
• Updated Buildah to v1.41.4
• Updated the containers/storage to v1.59.1
• Updated the containers/common library to v0.64.2