This repository has been archived by the owner. It is now read-only.
This release focuses on security enhancements. It provides additional isolators, creating a new mount namespace per app. Also a new version of CoreOS 1032.0.0 with systemd v229 is being used in stage1.
New features and UX changes
- stage1: implement read-only rootfs (#2624). Using the Pod manifest readOnlyRootFS option mounts the rootfs of the app as read-only using systemd-exec unit option ReadOnlyDirectories, see appc/spec.
- stage1: capabilities: implement both remain set and remove set (#2589). It follows the Linux Isolators semantics from the App Container Executor spec, as modified by appc/spec#600.
- stage1/init: create a new mount ns for each app (#2603). Up to this point, you could escape the app's chroot easily by using a simple program downloaded from the internet 1. To avoid this, we now create a new mount namespace per each app.
- api: Return the pods even when we failed getting information about them (#2593).
- stage1/usr_from_coreos: use CoreOS 1032.0.0 with systemd v229 (#2514).
- kvm: fix flannel network info (#2625). It wasn't saving the network information on disk.
- stage1: Machine name wasn't being populated with the full UUID (#2575).
- rkt: Some simple arg doc string fixes (#2588). Remove some unnecessary indefinite articles from the start of argument doc strings and fixes the arg doc string for run-prepared's --interactive flag.
- stage1: Fix segfault in enterexec (#2608). This happened if rkt enter was executed without the TERM environment variable set.
- net: fix port forwarding behavior with custom CNI ipMasq'ed networks and allow different hostPort:podPort combinations (#2387).
- stage0: check and create /etc (#2599). Checks '/etc' before writing to '/etc/rkt-resolv.conf' and creates it with default permissions if it doesn't exist.
- godep: update cni to v0.2.3 (#2618).
- godep: update appc/spec to v0.8.1 (#2623, #2611).
- dist: Update tmpfiles to create /etc/rkt (#2472). By creating this directory, users can run
rkt trustwithout being root, if the user is in the rkt group.
- Invoke gofmt with simplify-code flag (#2489). Enables code simplification checks of gofmt.
- Implement composable uid/gid generators (#2510). This cleans up the code a bit and implements uid/gid functionality for rkt fly.
- stage1: download CoreOS over HTTPS (#2568).
- Documentation updates (#2555, #2609, #2605, #2578, #2614, #2579, #2570).
- Test improvements (#2613, #2566, #2508).
rkt-v1.6.0.tar.gz 71.9 MB
rkt-v1.6.0.tar.gz.sig 287 Bytes
stage1-coreos-1.6.0-linux-amd64.aci.asc 473 Bytes
stage1-fly-1.6.0-linux-amd64.aci 4.22 MB
stage1-fly-1.6.0-linux-amd64.aci.asc 473 Bytes
stage1-kvm-1.6.0-linux-amd64.aci 35.1 MB
stage1-kvm-1.6.0-linux-amd64.aci.asc 473 Bytes