We recently added support for user namespaces to Podman. This has some major benefits for security and added flexibility when running containers. It allows processes to have privileges inside of the container, but no privileges if they escape the container.
RPM-OSTree/OSTree conveniently allows you to rollback if you upgrade and don’t like the upgraded software. This is done by keeping around the old deployment; the old software you booted in to. After a single upgrade you’ll have a booted deployement and the rollback deployment. On the next upgrade the current rollback deployment will be discarded and the current booted deployment will become the new rollback deployment.
Typically these two deployments are all that is kept around. However, recently a new pinning feature was added that allows the user to
pin a deployment to make sure it doesn’t get garbage collected.
Welcome to Red Hat CoreOS
When Red Hat acquired CoreOS, you asked what will become of Project Atomic or Container Linux. Today at Red Hat Summit, we’re sharing more details around the acquisition. Customers and community users will benefit from the plans around Tectonic and OpenShift, Container Linux and Atomic Host, as well as Quay.
Our other popular community projects such as Buildah, Cockpit, and Skopeo continue as usual. Fedora Atomic Workstation already announced that it is now a Fedora initiative with the codename Team Silverblue, continuing to improve an image-based Fedora Workstation as well as potentially adding GUI tools for pet containers. If you happen to be at Red Hat Summit, check out the Atomic BoF session where you can ask questions and tell us which features you would like to see in the future. Read more about our shared vision for the future at the CoreOS blog.View article »
Coming to Red Hat Summit? Project Atomic will be there! We will have multiple sessions plus demonstrations at the booth in Community Central. Click through for details.
Podman and insecure registries
The last few weeks, we have had a number of bugs and questions about how to pull from an insecure registry. The obvious advice here is that you should always be using a registry which implements tls-verify. But if you are a container or image developer or you are just plain breaking new ground, your registry may not use tls-verify. And Podman can handle this; and I wanted to spend a minute or two explaining how it does and the logic behind it.