rkt / rkt Archived

v1.7.0

This release introduces some new security features, including a "no-new-privileges" isolator and initial (partial) restrictions on /proc and /sys access.
Cgroups handling has also been improved with regards to setup and cleaning. Many bugfixes and new documentation are included too.

New features and UX changes

• stage1: implement no-new-privs linux isolator (#2677).
• stage0: disable OverlayFS by default when working on ZFS (#2600).
• stage1: (partially) restrict access to procfs and sysfs paths (#2683).
• stage1: clean up pod cgroups on GC (#2655).
• stage1/prepare-app: don't mount /sys/fs/cgroup in stage2 (#2681).
• stage0: complain and abort on conflicting CLI flags (#2666).
• stage1: update CoreOS image signing key (#2659).
• api_service: Implement GetLogs RPC request (#2662).
• networking: update to CNI v0.3.0 (#3696).

Bug fixes

• api: fix image size reporting (#2501).
• build: fix build failures on manpages/bash-completion target due to missing GOPATH (#2646).
• dist: fix "other" permissions so rkt list can work without root/rkt-admin (#2698).
• kvm: fix logging network plugin type (#2635).
• kvm: transform flannel network to allow teardown (#2647).
• rkt: fix panic on rm a non-existing pod with uuid-file (#2679).
• stage1/init: work around cgroup/SCM_CREDENTIALS race (#2645).
• gc: mount stage1 on GC (#2704).
• stage1: fix network files leak on GC (#2319).

Other changes

• deps: remove unused dependencies (#2703).
• deps: appc/spec, k8s, protobuf updates (#2697).
• deps: use tagged release of github.com/shirou/gopsutil (#2705).
• deps: bump docker2aci to v0.11.1 (#2719).
• Documentation updates (#2620, #2700, #2637, #2591, #2651, #2699, #2631).
• Test improvements (#2587, #2656, #2676, #2554, #2690, #2674, #2665, #2649, #2643, #2637, #2633).