@kke kke released this Feb 28, 2018 · 30 commits to master since this release

Assets 5

Version 1.5 Highlights

Security Improvements

The Kontena Vault now uses a stronger key derived from the configured VAULT_KEY for encrypting vault secrets. The configured VAULT_KEY was previously truncated to the first 32 bytes, limiting the effective AES-CBC key strength to 128 bits for hexadecimal values, or 192 bits for base64-encoded values. Existing vault secrets will be re-encrypted using the stronger key on upgrade. (PR #3248 / Issue #3247

The Kontena Vault secrets are now encrypted using a random AES-CBC Initialization Vector (IV) that is randomized for each secret. The configured VAULT_IV was previously used as a static IV shared across all encrypted secrets, but is no longer required. Existing vault secrets will be re-encrypted using randomized IVs on upgrade. (PR #3184 / Issue #3183

A potential XSS vulnerability in the "kontena master login --remote" code display has been fixed. (#3223)

Options After Parameters

Commands that accept parameters now accept options also after the parameter. For example,
these commands did not work before:

$ kontena stack deploy example-stack --help
ERROR: too many arguments
$ kontena stack rm example-stack --force
ERROR: too many arguments

Note that if you need to use something that looks like an option as a parameter you need to use the
common double dash -- option break indicator:

$ kontena master ssh -- ls -al
ERROR: Unrecognised option '-l'
$ kontena master ssh -- ls -al
$ kontena vault write -- SECRET --secret-password--

Kontena Stack Registry V2 API And The New 'meta' Fields

While mostly invisible to the end-user, the CLI stack registry API client is now using
the completely rewritten stack registry and the V2 JSON-API it offers. The registry
supports GZip responses, private stacks, server-side stack YAML validation and parsing
of the new top level 'meta:' fields.

The meta fields can be used to add extra information to stacks published in the registry.

You can find the full set of accepted metadata fields in the pull request #3219 description.

As the CLI HTTP client now supports gzip compressed responses, we have also added the option
to enable compression in the Kontena Master API. To enable, set KONTENA_SERVER_GZIP=true
in the Master environment.

Drop Support For Ruby 2.1, Build Installer With Embedded Ruby 2.5.0

As Ruby 2.1 branch has been out of development for almost a year now, it's time to upgrade
if you already didn't.

The MacOS Kontena CLI installation package is now bundled with Ruby version 2.5.0

Ruby 2.2 is nearing its EOL at the end of March 2018.

Process Multiple Items In One Command

Many of the subcommands can now accept a list of items instead of just one. This is handy in
shell scripts and one-liners, for example:

$ kontena vault ls -q | xargs kontena vault rm --force
$ kontena vault rm --force $(kontena vault ls -q)

Master Authentication Token Descriptions

You can now add descriptions to the master authentication tokens:

$ kontena master token create -e 0 --description "deploy key"
$ kontena master token ls
5a8c275351d1a1001566a4ef   bearer       f539          never        user         deploy key

Health Check

The agent now uses the port in health check definition when configuring the load balancer. (PR #3113 / Issue #1709)

Example configuration:

      protocol: http
      uri: /
      port: 8000

The health check will now consider HTTP 3XX status codes as healthy. (PR #3265 / Issue #1790)

Logging Container Crashes

It was previously not possible to see if a container restarted because it crashed or if it was intentional and caused by for example a deploy or a manual restart. (#3286)

2018-02-16T14:43:26.731698302Z container die 9d21e309419ffbd32d75ab4bf544baf4deefb491934a762fc88b5c34a3071a52 (exitCode=137...)

Service Affinities

When scheduling a service with an affinity like service==api affinity, only the bare service names were previously matched without considering their stack scope. If multiple stacks had identically named services that match the affinity filter, then all of those external services would have been considered as matching candidates. (PR #2967 / Issue #2911)

You can now set the stack scoped affinity as service==stack/api.

The affinity filters can now also include regular expressions such as node!=/^node-(2|3)$/. (PR #3099 / Issue #2909)

Daemon Strategy Node Stickiness

When a service has been deployed using the daemon strategy and a node goes offline, the scheduler now keeps the existing instances on the nodes they were running on already. (#3137)

Node All Online Node 2 Offline Before 1.5 Node 2 Offline With Kontena 1.5
1 instance-1 instance-1 instance-1
2 instance-2
3 instance-3 instance-2 instance-3
4 instance-4 instance-3 instance-2

Let's Encrypt Certificate Challenges

The Kontena Let's Encrypt certificate integration now supports http-01 challenges as a replacement for the disabled tls-sni-01 challenges. (PR #3212 / Issue #3209)



  • Add health check port to LB configs (#3113)
  • Add Agent Watchdog supervisor to agent (#3135)
  • Fix agent ServicePodWorker to ignore stale container events (#3259)
  • Change agent health check to accept HTTP 3xx as healthy (#3265)
  • Log container healthcheck errors (#3284)
  • Log service:instance_exit event on container crashes (#3286)
  • Fix agent to unregister LB service backends earlier during container shutdown (#3287)
  • Fix agent container log dropping entries when queue size exactly matches the throttle limit (#3288)

Agent + Server

  • Use GridService revision for service/container updates (#2371)
  • Improve agent ServicePodWorker container restart handling (#2780)


  • Remove server AsyncHelper#async_thread (#2786)
  • Fix service affinity filters to be stack-scoped (#2967)
  • Cap stack/service deploy collections (#3041)
  • Deploy tls-sni challenge certs as separate SSL_CERT_acme_challenge_* envs (#3076)
  • Support regex in affinity filters (#3099)
  • Remove dependant service logic (#3100)
  • Validate tls-sni domain authorization linked service port (#3132)
  • Enhance daemon strategy to implement node stickiness (#3137)
  • Use random initialization vector (#3184)
  • Fix server certificate domain verification request error handling (#3186)
  • Add cleaner job for old deployments (#3191)
  • Remove deprecated GridServiceHealthMonitorJob (#3202)
  • Resolve notification message receivers properly when grid is deleted (#3214)
  • Fix server Celluloid::Proxy::Async leak from RPC /container/health handler (#3217)
  • Fix server MongoPubsub to restart subscriptions after crashing (#3218)
  • Fix potential XSS vulnerability in master remote login code display (#3223)
  • Enable server API gzip encoding when KONTENA_SERVER_GZIP=true (#3241)
  • Server: Derive stronger SymmetricEncryption key from the configured VAULT_KEY (#3248)
  • Change GridService.stop_grace_period to Integer (#3275)
  • Upgrade server api-docs build system nokogiri to 1.8.2 (#3309)

Server + CLI

  • Make --email optional in external-registry add (#3055)
  • Add description field to master authentication access tokens (#3211)
  • Basic support for Let's Encrypt http-01 certificate / domain authorizations (#3212)
  • Send and return stack metadata to/from master (#3281)


  • Add "kontena plugin upgrade" to upgrade all plugins (#2952)
  • Set master name from KONTENA_MASTER when configuring from ENV (#3009)
  • Require --force if some items in node label rm list are missing (#3065)
  • Use --no-log-forwarder instead of --log-forwarder none in grid update (#3095)
  • Add --id to "kontena master token current" (#3096)
  • Stack inspect command (#3123)
  • Make kontena master token show output consistent with other show commands (#3156)
  • Fix confirmation dialog in stack related commands (#3169)
  • Update CLI image docker client to 17.06 (#3177)
  • Remove deprecated "kontena master users" subcommand (#3182)
  • Refactor stack change resolving (#3185)
  • Fix stack list tree icon (#3187)
  • Improve stack install deps handling (#3188)
  • Don't warn about deps if --keep-dependencies is given in stack rm (#3189)
  • Allow to command multiple items via CLI (#3193)
  • Remove deprecated app subcommand from CLI completions (#3195)
  • Fix and enhance stack command CLI autocompletions (#3197)
  • Upgrade CLI tty-prompt dependency to 0.14.0 (#3203)
  • Upgrade CLI excon dependency to 0.60.0 (#3204)
  • Upgrade CLI hash_validator dependency to 0.8.0 (#3205)
  • Drop CLI launchy dependency (#3208)
  • Switch to Stack registry V2 API and add support the new stack YAML metadata fields (#3219)
  • Enable gzip response parsing in CLI API client where supported (#3222)
  • Fix cli plugin uninstall (#3230)
  • Add missing cli etcd remove alias (#3235)
  • Fix client to not ignore invalid response JSON (#3240)
  • Fix to not accept gzip responses for streaming get requests (#3242)
  • Fix API client to ignore empty response JSON body (#3252)
  • Fix stack service extends: from registry stacks (#3258)
  • Fix grid remove parameter attribute conflict (#3263)
  • Upgrade CLI clamp dependency to 1.2.1 (#3267)
  • Allow CLI --options after parameters (#3268)
  • Drop CLI Ruby 2.1.0 support, upgrade installer embedded Ruby to 2.5.0 (#3272)
  • Fix stack / service deploy --no-wait description (#3290)
  • Add kontena service scale missing --no-wait flag (#3298)
  • Fix CLI master deploy wizard auth provider help links (#3308)

Test suite

  • Fix remaining plugin uninstall --force usages in tests (#2935)
  • Fix e2e stack validate entrypoint spec to use --format=api-json (#3163)
  • Fix e2e broken stack remove spec after hook (#3164)
  • Fix e2e test spec helpers to fail instead of aborting (#3165)
  • Fix e2e test container to use bundle exec (#3170)
  • Fix e2e stack validate entrypoint spec (#3172)
  • Test cli with ruby-2.5.0 (#3175)
  • Add --profile to e2e suite .rspec (#3198)
  • Fix travis e2e allow_failures clause (#3199)
  • Optimize e2e vpn specs (#3200)
  • Fix e2e stack install spec stack conflicts (#3201)
  • Fix e2e remove specs to not use unsupported shell syntax (#3227)
  • Fix e2e specs to run! (some of) the things (#3229)
  • Require travis e2e specs to pass (#3232)
  • E2E: Add spec for master token remove (#3233)
  • E2E: Use run! where applicable (#3236)
  • Fix hanging stack upgrade e2e spec (#3244)
  • Fix e2e app remove spec race on terminating service (#3245)
  • Fix CLI travis to bundle install --without development (#3221)
  • Fix flaky agent EventWorker#start spec (#3305)