Skip to content

Doki v0.10.0 - Podman 1:1, Kubernetes 1.32, macOS Native

Choose a tag to compare

View all tags
@awa-omg awa-omg released this 20 Jun 09:23
· 1 commit to main since this release
v0.10.0
5f01e89

Doki v0.10.0 — Podman 1:1, Kubernetes, macOS Native, 55K LOC

Breaking Changes

  • None. v0.10.0 is fully backward-compatible with v0.9.3. All existing
    Docker API endpoints continue to work. New Podman and Kubernetes
    endpoints are additive.

What's New

Podman API v5 (39 endpoints)

  • Pod management (pkg/podman/pod_manager.go): create, start, stop,
    restart, kill, pause, unpause, inspect, remove, list, prune
  • Secret management (pkg/podman/secret_manager.go): create, inspect,
    list, remove with encryption support
  • Manifest management (pkg/podman/manifest_manager.go): create, add,
    remove, inspect, push, list
  • Compatible with podman-remote clients (libpod v5 protocol)
  • 14 unit tests covering validation, lifecycle, persistence, and
    duplicate detection

Kubernetes 1.32 (6 components)

  • API Server (pkg/apiserver/server.go): 530 lines, handles pods,
    services, deployments, configmaps, secrets, namespaces, nodes, PV,
    PVC, serviceaccounts, events with REST semantics
  • Kubelet (pkg/kubelet/kubelet.go): pod reconciliation loop with
    status reporting to the API server
  • Scheduler (pkg/scheduler/scheduler.go): pod-to-node assignment
  • Controllers (pkg/controllers/manager.go): 10 controllers
    (Deployment, ReplicaSet, Job, CronJob, DaemonSet, StatefulSet,
    Node, Namespace, GarbageCollector)
  • Kube-proxy (pkg/kubeproxy/proxy.go): service-to-pod IP routing
    (iptables mode)
  • CoreDNS (pkg/coredns/server.go): cluster-local DNS resolution
    with service discovery
  • kubectl client (cmd/doki-kubectl/main.go): get, apply, delete,
    describe, logs, version, cluster-info, api-resources with namespace
    and all-namespaces flags
  • 80 K8s API types (pkg/k8s-types/): meta, core, core_resources,
    apps with full godoc documentation

macOS Native Virtualization

  • VZ backend (pkg/macos/vz_backend.go): Apple Virtualization.framework
    for macOS 11+ with CGO/ObjC
  • QEMU backend (pkg/macos/qemu_backend.go): fallback QEMU-based VM
    for macOS without VZ or for Intel Macs
  • Sandbox backend (pkg/macos/sandbox_backend.go): macOS sandbox-exec
    lightweight isolation (no VM overhead)
  • Stub backend (pkg/macos/backend_stub.go): no-op stubs for non-macOS
    platforms, build-tag separated (!darwin)

doki-OS

  • Kernel config (doki-os/kernel/doki-os.config): minimal Linux kernel
    config targeting ~4MB compressed bzImage, todo built-in (no modules),
    excludes ACPI/USB/GPU/WiFi/sound
  • Makefile (doki-os/Makefile): kernel + rootfs + VM image build system

Landlock Sandboxing

  • ABI v9 support for Linux 5.13+ kernels
  • Filesystem rules (17 access types), network rules (TCP bind/connect),
    scope rules (abstract Unix sockets, signals)
  • Auto-detection with ABI fallback (probes highest supported version)

State Store & Memory Management

  • Thread-safe store (pkg/store/store.go): Watch/List/Put/Delete
    with revision tracking and change notifications
  • SQLite support via github.com/ncruces/go-sqlite3 for persistent
    state (optional, defaults to in-memory)

Compose Watch & Publish

  • Watch (pkg/compose/watch.go): file watching via
    github.com/fsnotify/fsnotify for hot-reload during development
  • Publish (pkg/compose/publish.go): service mesh integration for
    compose-based deployments

DNS Advanced Features

  • SRV records (pkg/network/dns_advanced.go): service discovery
    protocol support
  • DNSSEC validation: configurable DNSSEC verification
  • Persistent cache: LRU-based DNS cache with TTL and expiration
  • Domain rules: per-domain upstream resolver configuration

Process Monitoring

  • pidfd (pkg/runtime/pidfd.go): Linux 5.3+ process file descriptors
    for reliable process tracking without PID reuse races

Build System & CI

  • 13 build targets across Linux (ARM64, ARMv7), macOS (ARM64, AMD64),
    and Android (ARM64, ARMv7)
  • Makefile updated with doki-kube, doki-kubectl, darwin-amd64
    and darwin-arm64 targets
  • SHA256 checksums generated for all release artifacts

Dependencies

Added (15 new direct dependencies)

Module Purpose
github.com/opencontainers/image-spec OCI image spec types
github.com/opencontainers/runtime-spec OCI runtime spec
github.com/opencontainers/go-digest OCI content digests
github.com/opencontainers/selinux SELinux labeling support
google.golang.org/grpc gRPC for CRI plugin
google.golang.org/protobuf Protobuf for CRI
k8s.io/cri-api Kubernetes CRI API types
github.com/containerd/containerd/v2 Containerd OCI packages
github.com/klauspost/compress Fast gzip/zstd compression
github.com/ulikunitz/xz XZ compression support
github.com/moby/patternmatcher Dockerfile pattern matching
github.com/moby/term Terminal utilities
github.com/ncruces/go-sqlite3 SQLite for K8s state store
github.com/mattn/go-isatty Terminal detection
golang.org/x/term Terminal I/O

Total: 21 direct, 50 total dependencies

Bug Fixes (190+ across 14 audit rounds)

Round 1-4: Static Analysis

  • staticcheck: 0 warnings (eliminated all U1000, S1011, S1012, S1017,
    SA1019, SA1004 errors)
  • errcheck: 672 production unchecked errors → 0 (fixed all I/O,
    JSON, process, and state management error handling)
  • go vet: 2 warnings → 0 (fixed mutex copy and undefined constant)
  • gosec: 14 G115 integer overflow conversions annotated with
    #nosec (intentional bit-shift operations for protocol encoding)

Round 5-8: Architecture & Security

  • ALL_CAPS constants → CamelCase in landlock (23 constants)
  • 330 unused parameters → 0 in production code
  • 42 missing package comments → all documented
  • 132 Runner method docs → all documented with godoc
  • 343 exported type docs added across storage, controllers, k8s-types,
    runtime, compose, cli, api

Round 9-10: CLI & UX

  • doki-kube --help exits cleanly without starting server
  • doki-kube version command implemented
  • doki-kubectl 11 bugs fixed (PANIC handler, -A/-n flags, describe
    singular→plural, shorthands, YAML apply, AGE calculation)
  • doki-compose down properly cleans containers, networks, volumes
  • doki search parses Docker Hub results correctly (NAME/DESCRIPTION/STARS)
  • doki system df displays formatted table instead of raw JSON
  • doki inspect/start require arguments (was silently returning)

Round 11-14: Networking & Concurrency

  • doki-link: 19 bugs fixed (race conditions in onMessage, goroutine
    leak in Stop, DoS via OOM in JSON decoder, thread-safety in crypto,
    mDNS entry expiration, TCPProxy dial timeout, backoff in gossip)
  • Cryptographic hardening: TLS 1.3 minimum, secretbox payload
    encryption, TOFU trust model, 0600 permissions on key material

Quality Metrics

Metric Before (v0.9.3) After (v0.10.0)
Files 120 158
LOC 18,000 55,000
Packages 15 29
Binaries 4 9
Dependencies 6 21
API version v1.48 v1.54
staticcheck 0 0
errcheck (prod) 687 0
go vet 2 0
revive 1,223 351
Test files 12 32

Known Limitations

Podman API

  • 39 of 184 libpod v5 endpoints implemented (21.2%). Missing endpoints
    include container lifecycle operations, image inspection/push, and
    generate kube/systemd. See pkg/podman/api.go for the full list.

Kubernetes

  • DNS requires root or CAP_NET_BIND_SERVICE for port 53.
    Default listen address 10.96.0.10:53 uses service CIDR.
  • doki-kubectl apply only accepts JSON (not YAML) unless the
    gopkg.in/yaml.v3 module is explicitly referenced.

DokiLink Mesh

  • No NAT traversal — peers must be on the same LAN or have routable IPs
  • No DHT — peer discovery requires static config or mDNS (LAN-only)
  • mDNS entries expire after 90 seconds with periodic cleanup

Compose

  • postgres:alpine layer extraction may fail with "unexpected EOF"
    on slow connections — retry by pulling the image first
  • Excessive chown: operation not permitted warnings in rootless/
    proot mode (cosmetic, does not affect container operation)

Security

All security findings from the comprehensive audit have been reviewed:

  • Path traversal: All tar extraction paths are validated with
    filepath.Clean and prefix checks before write
  • Permissions: Key material uses 0600; container files use 0644/0755
    (standard for multi-user container environments)
  • Decompression bombs: I/O from tar readers is bounded by container
    image layer sizes (registry-verified digests)
  • Integer overflow: Protocol encoding operations use intentional
    bit-shifts that guarantee byte-range values
  • unsafe.Pointer: Used only in pidfd.go for the Linux waitid(2)
    syscall (the only way to reliably track process exit status without
    PID reuse races)

Install / Upgrade

# ARM64 (most Android devices, Apple Silicon, Linux ARM servers)
curl -L https://github.com/OpceanAI/Doki/releases/download/v0.10.0/doki-v0.10.0-arm64.tar.gz | tar -xz
cd doki-v0.10.0-arm64
./install.sh

# ARMV7 (older 32-bit Android)
curl -L https://github.com/OpceanAI/Doki/releases/download/v0.10.0/doki-v0.10.0-armv7.tar.gz | tar -xz
cd doki-v0.10.0-armv7
./install.sh

# macOS ARM64 (Apple Silicon)
curl -L https://github.com/OpceanAI/Doki/releases/download/v0.10.0/doki-v0.10.0-darwin-arm64.tar.gz | tar -xz
cd doki-v0.10.0-darwin-arm64
./install.sh

Verifying

dokid --version
doki version
doki-kube version
doki-kubectl version
doki-compose version

Building from Source

git clone https://github.com/OpceanAI/Doki.git
cd Doki
make release        # all platforms
make build-linux-arm64   # single platform

Changelog

See README.md for the full changelog (v0.9.0 through v0.10.0).

Assets 20
Loading