Latest release


@lucab lucab released this Apr 16, 2018 · 8 commits to master since this release

This release includes some small command line tweaks and adds support for CRI logging in iottymux which is required by rktlet.
It also fixes a number of bugs, adds a lot of new documentation, and updates some dependencies.

New features

  • status: added read from uuid-file (#3860).
  • stage0/run: relax '--hosts-entry' parser (#3833).
  • iottymux: store logs for kubelet in the appropriate location (#3798). This change is made for rktlet. iottymux will store the logs directly in the CRI format.
  • rkt: add AWS auth headerer support to rkt config (#3910).


  • kvm: solve certain routing issues by using the same default bridge as CNI (#3905).
  • networking/portfwd: fix compare routeLocalnetValue (#3897).
  • list: add ip of non-running pods to status output (#3857).
  • stage1: execute pre-start/post-stop hooks as privileged (#3844). Even if we run the container as an unprivileged user.
  • stage1-fly/run: allow non absolute commands to be run (#3845).
  • rkt: prevent skipping some images in image gc (#3858).
  • rkt: skip parsing in case of an empty string (#3822). Fix issue where rkt app add fails with an error message like must give only one app, even when only one app name is given.

Build system

  • scripts: Add libfdt to install deps (#3834). libfdt-dev is needed when building kernels for architectures that support a device tree.
  • makelib: Fix go-find-directories symlink problem (#3824).
  • scripts: adding missing dependecies to debian dependency installer (#3829).
  • scripts/build-pkgs: use RPM file dependency for shadow tools (#3904).

Other changes

  • Lots of documentation updates.
  • selinux: Update to latest (#3818).
  • travis: update go versions (#3821).
  • vendor: bump docker2aci to v0.17.1 (#3835). It fixes an image pulling bug for some images in GCR.
  • Fixes all the misspell (#3870).
  • stage1/usr_from_coreos: add new image signing subkey 0638EB2F (#3902).
  • tests: Use semaphore install-package (#3827).
  • tests: Add verbose flag to (#3819).


@lucab lucab released this Oct 4, 2017 · 159 commits to master since this release

This release contains a number of bugfixes, new features like the ability to share the host IPC namespace, dependency updates, and build system improvements.


  • app/add: Use the image name as a default name for app (#3802). Make the --name flag optional like stated in the help message.
  • stage1/init: activate systemd-journal-flush.service (#3807). It's needed to make systemd-journald write to /var/log/journal instead of /run/log/journal.
  • stage0/gc: try to avoid double overlay mounts (#3806). Before Linux 4.13, it used to be possible to perform double overlayfs mounts and now it's not, handle this case.
  • api: add CreatedAt to v1.Pod (#3797). It might happen that the pod is created but we can't get its start time so we add a CreatedAt field to the API.
  • lib: don't error out if we can't get the app exit code (#3800). This can happen if the pod dies but we don't have time to register the app exit code.
  • image: set the header instead of adding it (#3796). The go http/client changes its behavior for redirect and header's copy since the go 1.8:
  • lib/app: check in upper/ if the pod uses overlay (#3791). Getting creation/start time and status of applications will fail for pods using overlay if stage1 was unmounted (e.g. when rebooting).
  • stage1: handle docker group semantics (#3792). Docker uses the UID as GID if you only specify the "user".
  • stage1: support hybrid cgroup hierarchy (#3784). systemd introduced the hybrid cgroup hierarchy in v233, which was breaking the host flavor of rkt.
  • pkg/keystore: ensure correct permissions on path creation (#3780). Allow writing to /etc/rkt/trustedkeys as a user in the rkt group in systems with restrictive umask.
  • networking: ensure the netns directory is mounted (#3761). Allows using rktnetes and rkt on the same host.
  • stage1: fix systemd version fmt in error message (#3767). The previous version caused cryptic error messages.

New features and UX changes

  • app/add: Allow to define annotations for app from CLI (#3814).
  • app/sandbox: Allow to define annotations for sandbox from CLI (#3816).
  • stage0,rkt: don't require the pod to be running to remove apps (#3799).
  • stage1: enable host IPC namespace (#3787). rkt normally creates a new IPC namespace for the pod. In order to stay in the host IPC namespace, a new option --ipc= was added.
  • rkt: bash completion code (#3774). This patch provides an implementation of the command used to generate completion code for the bash shell.

Other changes

  • vendor: bump docker2aci to v0.17.0 (#3810).
  • vendor: update pborman/uuid to v1.1 (#3809).
  • vendor: bump appc/spec to v0.8.11 (#3803).
  • rkt_seccomp_test: Fix arm64 stat tests (#3804).
  • build: sort stage1 manifest files (#3808). To ease maintenance.

Build system

  • build/stage1: support local systemd source for offline builds (#3746).
  • RPM/deb package can upgrade even if running pods (#3766).
  • src flavor: copy the real file from the host (#3764). It was copying a symbolic link instead.


@lucab lucab released this Aug 2, 2017 · 229 commits to master since this release

This is a minor bugfix release. It does not contain any changes to the rkt code, but it updates dependencies and runtime versions for bugfixes:

  • vendor: update go-systemd to v15 (#3759). rkt stopped working when running in a service with systemd v234. This update fixes it.
  • scripts: update rkt-builder version to 1.3.0 (#3754). This updates the default Go runtime to 1.8, fixing #3738.


@lucab lucab released this Jul 28, 2017 · 236 commits to master since this release

This release contains changes to the behavior of rkt run, rkt status, and rkt fly to make them more consistent. Two of them need particular attention:

  • rkt status can now omit the pid field when non-existent. Use --wait[-ready] to ensure a pid will be available.
  • the default[-restricted] network is not added by default when a custom network is specified with --net.

There are also some improvements on documentation and tests working on arm64.

New features and UX changes

  • stage0/status: fix failure when systemd never runs in stage1 (#3713). This changes the behavior of rkt status when a PID is not available: instead of crashing, it will now omit the pid field. Users that need to read the PID shortly after an invocation of rkt run should now use the --wait[-ready] flag explicitly.
  • BREAKING network: do not automatically add default* networks when custom ones are specified (#3685).
  • stage1/fly: preserve environment between run and enter (#3712). Fly run now writes the app env file, and fly enter reads it.
  • stage1/fly: make run/enter honour uid/gid/suppGids (#3717). Refactored common functionality out of run.


  • stage1/init/units: keep journald running while apps are shutting down (#3726). This prevents a race when apps are writing to their stdout/err (and output is being sent to stage1's journal) while shutting down. If journald terminates before the apps finish shutting down, their output will be lost.
  • tests: get functional tests working on arm64 (#3737). Various arch fixups to get make check with a coreos stage1 working on arm64 machines.
  • Fix --user --group on arm64 (#3736). Fixes issue #3714 (rkt run --user fails on arm64).

Other changes

  • docs: update CLI flags in (#3748). Also added rkt-run options present in rkt 1.27.0 but not present in the markdown. The entries in markdown have been sorted.
  • tests/net: skip TestNetCustomBridge on semaphore (#3740). Reference #3739
  • doc: mention external stage1s (#3723). This was discussed on:
    #3645 (comment)
  • rkt/pubkeys: print debug logs on discovery errors (#3705). This reorders log-printing and error-returning when pubkeys discovery
    fails, in order to print useful debugging information on error.
  • docs: correct rkt pronunciation (#3674). rkt has an icon of a rocket but previously the official pronunciation was "rock-it" which is incompatible with the logo. This change fixes that.
  • stage0: fix message formatting errors, stale forward-vars (#3722).


@squeed squeed released this Jun 19, 2017 · 275 commits to master since this release

This minor release contains bugfixes, along with improvements related to the tests and the documentation.

New Features

  • stage1/kvm: add arm64 build (#3690).


  • stage0: list|status --format=json panics: RuntimeApp.Mounts.AppVolume is optional (#3699). When it is nil, the Volume info at the Pod level (with the same name) should be used. Without this patch rkt list --format=json panics on a nil pointer when Apps reference Volumes from the Pod level.
  • imagestore: Fix sql resource leaks (#3682). When using sql queries the rows iterator needs to be closed if the entire query result is not iterated over. Failure to close the iterator results in resource leakage.

Other changes

  • networking: change the default-restricted subnet (#3718). Previously, we were using 172.17/16, which conflicts with the default
    Docker networking. Change it to 172.31/16.
  • scripts/pkg: improved detection of active mounts (#3710). On systems which have /var/lib/rkt as a separate partition, the active mount detection in before-remove needs to not get confused by the presence of /var/lib/rkt itself as a mount. Therefore a longer path is used for active mount detection.
  • stage1/usr_from_coreos: add new image signing sub-key EF4B4ED9 (#3686). See coreos/init#236.
  • scripts: skip nonexistent stage1 images when packaging (#3687). Not all builds will generate all stage1 images. It depends on what ./configure flags (--with-stage1-flavors) were used.
  • tests: Only run race test on supported arch (#3684). Fixes build errors like these when run on non amd64 machines:
  • functional test: Fix manifest arch error (#3681). The manifest contains values for the ACI arch and OS, not the go language values.
  • Documentation updates: #3680, #3679, #3700, #3709


@lucab lucab released this May 15, 2017 · 308 commits to master since this release

This minor release contains bugfixes and other improvements. It also adds better support for the arm architecture to rkt, so that you can now fetch images via autodiscovery and have the correct seccomp whitelist to run them. Also notable is the new possibilty to pass extra kernel parameters to kvm, and last but not least a significant prepare/run speedup in stage0. This also introduces stricter validation on volume names, now rejecting duplicate ones.

New Features

  • stage1: improve duplicate mount-volume detection (#3666). Breaking change: volumes with duplicate names are now rejected.
  • stage0/{run,prepare}: remove ondisk verification (#3623). For backwards compatibility, specifying 'insecure-options=ondisk' will still run without error, however it will also not do anything.
  • kvm/qemu: add extra kernel parameters (#3644).


  • seccomp: add arch-specific syscalls on ARM (#3636).
  • fetch: use proper appc os/arch labels (#3621).
  • tests/caps: skip if overlayfs support is missing (#3670).
  • build/stage1: transfer user xattr data (#3665).
  • stage1: include <sys/sysmacros.h> for makedev function (#3604).

Other changes

  • Add code of conduct (#3661). Required by CNCF.
  • rkt list|status: app state info (i.e. exit codes) in --format=json (#3638).
  • Documentation: added production-users and integrations pages (#3602).
  • Documentation: add mesos to integrations (#3624).
  • Documentation: add container linux and tectonic as production users (#3618).
  • Documentation: add Gentoo to the list of distributions that have rkt (#3613).
  • Documentation: add some individual blog posts (#3611).
  • Documentation: cleanup stage1 stuff (#3612).
  • dist: use instead of (#3620).
  • scripts: update rkt-builder version (#3595).


@lucab lucab released this Feb 20, 2017 · 376 commits to master since this release


This minor release contains bugfixes and other improvements related to the KVM flavour, which is now using qemu-kvm by default.

New Features

  • Switch default kvm flavour from lkvm to qemu (#3562).

Bug fixes

  • stage1/kvm: Change RAM calculation, and increase minimum (#3572).
  • stage1: Ensure ptmx device usable by non-root for all flavours (#3484).

Other changes

  • tests: fix TestNonRootReadInfo when $HOME is only accessible by current user (#3580).
  • glide: bump grpc to 1.0.4 (#3584).
  • vendor: bump docker2aci to 0.16.0 (#3591).


@squeed squeed released this Feb 4, 2017 · 403 commits to master since this release

This release includes experimental support for attaching to a running application's input and output. It also introduces
a more finely grained pull-policy flag.

New Features:

  • rkt: add experimental support for attachable applications (#3396).
    It consists of:
    • a new attach subcommand
    • a set of per-app flags to control stdin/stdout/stderr modes
    • a stage1 iottymux binary for multiplexing and attaching
    • two new templated stage1 services, iomux and ttymux
  • run/prepare/fetch: replace --no-store and --store-only with --pull-policy (#3554).
    • Replaces the --no-store and --store-only flags with a singular
      flag --pull-policy.
    • can accept one of three things, never, new, and update.
    • --no-store has been aliased to --pull-policy=update
    • --store-only has been aliased to --pull-policy=never

Bug fixes

  • image gc: don't remove images that currently running pods were made from (#3549).
  • stage1/fly: evaluate symlinks in mount targets (#3570).
  • lib/app: use runtime app mounts and appVolumes rather than mountpoints (#3571).

Other changes:

  • kvm/qemu: Update QEMU to v2.8.0 (#3568).
  • stage0/app-add: CLI args should override image ones (#3566).
  • lib/app: use runtime app mounts and appVolumes rather than mountpoints (#3571).
  • kvm/lkvm: update lkvm version to HEAD (#3569).
  • vendor: bump appc to v0.8.10 (#3574).
  • docs: (#3552)

Build & Test:

  • tests: remove gexpect from TestAppUserGroup (#3561).
  • travis: remove "gimme.local" script (#3556).
  • tests: fix when $HOME is only accessible by current user (#3559).
  • makelib: introduce --enable-incremental-build, enabling "go install" (#3553).


@s-urbaniak s-urbaniak released this Jan 19, 2017 · 442 commits to master since this release


This release adds a lot of bugfixes around the rkt fly flavor, garbage collection, kvm, and the sandbox. The new experimental app subcommand now follows the semantic of CRI of not quitting prematurely if apps fail or exit. Finally docker2aci received an important update fixing issues with os/arch labels which caused issues on arm architectures, a big thanks here goes to @ybubnov for this contribution.

New features

  • sandbox: don't exit if an app fails (#3478). In contrast to regular rkt run behavior, the sandbox now does not quit if all or single apps fail or exit.

Bug fixes

  • stage1: fix incorrect splitting function (#3541).
  • sandbox/app-add: fix mount targets with absolute symlink targets (#3490).
  • namefetcher: fix nil pointer dereference (#3536).
  • Bump appc/docker2aci library version to 0.15.0 (#3534). This supports the conversion of images with various os/arch labels.
  • stage1: uid shift systemd files (#3529).
  • stage1/kvm/lkvm: chown files and dirs on creation (#3485).
  • stage1/fly: record pgid and let stop fallback to it (#3523).
  • common/overlay: allow data directory name with colon character (#3505).
  • api-service: stop erroring when a pod is running (#3525).
  • stage1/fly: clear FD_CLOEXEC only once (#3521).
  • stage1: Add hostname to /etc/hosts (#3522).
  • gc: avoid erroring in race to deletion (#3515).
  • tests/rkt_stop: Wait for 'stop' command to complete (#3518).
  • pkg/pod: avoid nil panic for missing pods (#3514).

Other changes

  • stage1: move more logic out of AppUnit (#3496).
  • tests: use appc schema instead of string templates (#3520).
  • stage1: kvm: Update kernel to 4.9.2 (#3530).
  • stage1: remount entire subcgroup r/w, instead of each knob (#3494).
  • tests: update AWS CI setup (#3509).
  • pkg/fileutil: helper function to get major, minor numbers of a device file (#3500).
  • pkg/log: correctly handle var-arg printf params (#3516).
  • Documentation/stop: describe --uuid-file option (#3511).


@lucab lucab released this Jan 6, 2017 · 502 commits to master since this release


This is a stabilization release which includes better support for environments without systemd, improvements to GC behavior in complex scenarios, and several additional fixes.

New features and UX changes

  • rkt/cat-manifest: add support for --uuid-file (#3498).
  • stage1: fallback if systemd cgroup doesn't exist (#3507).
  • vendor: bump gocapability (#3493). This change renames sys_psacct to sys_pacct.
  • stage0/app: pass debug flag to entrypoints (#3469).

Bug fixes

  • gc: fix cleaning mounts and files (#3486). This improves GC behavior in case of busy mounts and other complex scenarios.
  • mount: ensure empty volume paths exist for copy-up (#3468).
  • rkt stop/rm: a pod must be closed after PodFromUUIDString() (#3492).

Other changes

  • stage1/kvm: add a dash in kernel LOCALVERSION (#3489).
  • stage1/kvm: Improve QEMU Makefile rules (#3474).
  • pkg/pod: use IncludeMostDirs bitmask instead of constructing it (#3506).
  • pkg/pod: add WaitReady, dry Sandbox methods (#3462).
  • vendor: bump gexpect to 0.1.1 (#3467).
  • common: fix 'the the' duplication in comment (#3497).
  • docs: multiple updates (#3479, #3501, #3464, #3495).