@jonboulle jonboulle released this Oct 12, 2015 · 3209 commits to master since this release

Assets 4


rkt v0.9.0 is a significant milestone release with a number of internal and user-facing changes.

There are several notable breaking changes from the previous release:

  • The on-disk format for pod trees has changed slightly, meaning that rkt gc and rkt run-prepared may not work for pods created by previous versions of rkt. To work around this, we recommend removing the pods with an older version of rkt.
  • The --private-net flag has been renamed to --net and its semantic has changed (in particular, it is now enabled by default) - see below for details.
  • Several changes to CLI output (e.g. column names) from the rkt list and rkt image list subcommands.
  • The image fetching behaviour has changed, with the introduction of new flags to rkt run and rkt fetch and the removal of --local - see below for details.

New features and UX changes

--private-net --> --net, and networking is now private by default

The --private-net flag has been changed to --net, and has been now made the default behaviour. (#1532, #1418)
That is, a rkt run command will now by default set up a private network for the pod.
To achieve the previous default behaviour of the pod sharing the networking namespace of the host, use --net=host.
The flag still allows the specification of multiple networks via CNI plugins, and overriding plugin configuration on a per-network basis.
For more details, see the networking documentation.

New image fetching behaviour

When fetching images during rkt fetch or rkt run, rkt would previously behave inconsistently for different formats (e.g when performing discovery or when retrieving a Docker image) when deciding whether to use a cached version or not.
rkt run featured a --local flag to adjust this behaviour but it provided an unintuitive semantic and was not available to the rkt fetch command.
Instead, rkt now features two new flags, --store-only and --no-store, on both the rkt fetch and rkt run commands, to provide more consistent, controllable, and predictable behaviour regarding when images should be retrieved.
For full details of the new behaviour see the image fetching documentation.

Unprivileged users

A number of changes were made to the permissions of rkt's internal store to facilitate unprivileged users to access information about images and pods on the system (#1542, #1569).
In particular, the set-group-ID bit is applied to the directories touched by rkt install so that the rkt group (if it exists on the system) can retain read-access to information about pods and images.
This will be used by the rkt API service (targeted for the next release) so that it can run as an unprivileged user on the system.
This support is still considered partially experimental.
Some tasks like rkt image gc remain a root-only operation.

/etc/hosts support

If no /etc/hosts exists in an application filesystem at the time it starts running, rkt will now provide a basic default version of this file.
If rkt detects one already in the app's filesystem (whether through being included in an image, or a volume mounted in), it will make no changes. (#1541)

Other new features
  • rkt now supports setting supplementary group IDs on processes (#1514).
  • rkt's use of cgroups has been reworked to facilitate rkt running on a variety of operating systems like Void and older non-systemd distributions (#1437, #1320, #1076, #1042)
  • If rkt run is used with an image that does not have an app section, rkt will now create one if the user provides an --exec flag (#1427)
  • A new rkt image gc command adds initial support for garbage collecting images from the store (#1487). This removes treeStores not referenced by any non-GCed rkt pod.
  • rkt list now provides more information including image version and hash (#1559)
  • rkt image list output now shows shortened hash identifiers by default, and human readable date formats.
    To use the previous output format, use the --full flag. (#1455)
  • rkt prepare gained the --exec flag, which restores flag-parity with rkt run (#1410)
  • lkvm stage1 backend has experimental support for rkt enter (#1303)
  • rkt now supports empty volume types (#1502)
  • An early, experimental read-only API definition has been added (#1359, #1518).

Bug fixes

  • Fixed bug in --stage1-image option which prevented it from using URLs (#1524)
  • Fixed bug in rkt trust's handling of --root (#1494)
  • Fixed bug when decompressing xz-compressed images (#1462, #1224)
  • In earlier versions of rkt, hooks had an implicit timeout of 30 seconds, causing some pre-start jobs which took a long time to be killed. This implicit timeout has been removed. (#1547)
  • When running with the lkvm stage1, rkt now sets $HOME if it is not already set, working around a bug in the lkvm tool (#1447, #1393)
  • Fixed bug preventing run-prepared from working if the metadata service was not available (#1436)

Other changes

  • Bumped appc spec to 0.7.1 (#1543)
  • Bumped CNI and netlink dependencies (#1476)
  • Bumped ioprogress to a version which prevents the download bar from being drawn when rkt is not drawing to a terminal (#1423, #1282)
  • Significantly reworked rkt's internal use of systemd to orchestrate apps, which should facilitate more granular control over pod lifecycles (#1407)
  • Reworked rkt's handling of images with non-deterministically dependencies (#1240, #1198).
  • rkt functional tests now run appc's ACE validator, which should ensure that rkt is always compliant with the specification. (#1473)
  • A swathe of improvements to the build system
    • make clean should now work
    • Different rkt stage1 images are now built with different names (#1406)
    • rkt can now build on older Linux distributions (like CentOS 6) (#1529)
  • Various internal improvements to the functional test suite to improve coverage and consolidate code
  • The "ACI" field header in rkt image output has been changed to "IMAGE NAME"
  • rkt image rm now exits with status 1 on any failure (#1486)
  • Fixed permissions in the default stage1 image (#1503)
  • Added documentation for prepare and run-prepared subcommands (#1526)
  • rkt should now report more helpful errors when encountering manifests it does not understand (#1471)