v1.21.0

This release includes bugfixes for the experimental CRI support, more stable integration tests, and some other interesting changes:

• The default-restricted network changed from 172.16.28.0/24 to 172.17.0.0/26.
• The detailed roadmap for OCI support has been finalized.

For more information, see the changelog

v1.20.0

1.20.0

This release contains additional bug fixes for the new experimental app subcommand, following the path towards the Container Runtime Interface (CRI).
It also adds first step towards OCI by introducing an internal concept called "distribution points", which will allow rkt to recognize multiple image formats internally.
Finally the rkt fly flavor gained support for rkt enter.

New features and UX changes

• stage1/fly: Add a working rkt enter implementation (#3377).

Bug fixes:

• tests/build-and-run-test.sh: fix systemd revision parameter (#3395).
• namefetcher: Use ETag in fetchVerifiedURL() (#3374).
• rkt/run: validates pod manifest to make sure it contains at least one app (#3363).
• rkt/app: multiple bugfixes (#3405).

Other changes

• glide: deduplicate cni entries and update go-systemd (#3372).
• stage0: improve list --format behavior and flags (#3403).
• pkg/pod: flatten the pod state if-ladders (#3404).
• tests: adjust security tests for systemd v232 (#3401).
• image: export ImageListEntry type for image list (#3383).
• glide: bump gopsutil to v2.16.10 (#3400).
• stage1: update coreos base to alpha 1235.0.0 (#3388).
• rkt: Implement distribution points (#3369). This is the implementation of the distribution concept proposed in #2953.
• build: add --with-stage1-systemd-revision option for src build (#3362).
• remove isReallyNil() (#3381). This is cleanup PR, removing some reflection based code.
• vendor: update appc/spec to 0.8.9 (#3384).
• vendor: Remove direct k8s dependency (#3312).
• Documentation updates: #3366, #3376, #3379, #3406, #3410.

v1.19.0

1.19.0

This release contains multiple changes to rkt core, bringing it more in line with the new Container Runtime Interface (CRI) from Kubernetes.

A new experimental app subcommand has been introduced, which allows creating a "pod sandbox" and dynamically mutating it at runtime. This feature is not yet completely stabilized, and is currently gated behind an experimental flag.

New features and UX changes

• rkt: experimental support for pod sandbox (#3318). This PR introduces an experimental app subcommand and many additional app-level options.
• rkt/image: align image selection behavior for the rm subcommand (#3353).
• stage1/init: leave privileged pods without stage2 mount-ns (#3290).
• stage0/image: list images output in JSON format (#3334).
• stage0/arch: initial support for ppc64le platform (#3315).

Bug fixes:

• gc: make sure CNI_PATH is same for gc and init (#3348).
• gc: clean up some GC leaks (#3317).
• stage0: minor wording fixes (#3351).
• setup-data-dir.sh: fallback to the mkdir/chmods if the rkt.conf doesn't exist (#3335).
• scripts: add gpg to Debian dependencies (#3339).
• kvm: fix for breaking change in Debian Sid GCC default options (#3354).
• image/list: bring back field filtering in plaintext mode (#3361).

Other changes

• cgroup/v1: introduce mount flags to mountFsRO (#3350).
• kvm: update QEMU version to 2.7.0 (#3341).
• kvm: bump kernel version to 4.8.6, updated config (#3342).
• vendor: introduce kr/pretty and bump go-systemd (#3333).
• vendor: update docker2aci to 0.14.0 (#3356).
• tests: add the --debug option to more tests (#3340).
• scripts/build-rir: bump rkt-builder version to 1.1.1 (#3360).
• Documentation updates: #3321, #3331, #3325.

v1.18.0

1.18.0

This minor release contains bugfixes, UX enhancements, and other improvements.

UX changes:

• rkt: gate diagnostic output behind --debug (#3297).
• rkt: Change exit codes to 254 (#3261).

Bug fixes:

• stage1/kvm: correctly bind-mount read-only volumes (#3304).
• stage0/cas: apply xattr attributes (#3305).
• scripts/install-rkt: add iptables dependency (#3309).
• stage0/image: set proxy if InsecureSkipVerify is set (#3303).

Other changes

• vendor: update docker2aci to 0.13.0 (#3314). This fixes multiple fetching and conversion bugs, including two security issues.
• scripts: update glide vendor script (#3313).
• vendor: update appc/spec to v0.8.8 (#3310).
• stage1: update to CoreOS 1192.0.0 (and update sanity checks) (#3283).
• cgroup: introduce proper cgroup/v1, cgroup/v2 packages (#3277).
• Documentation updates: (#3281, #3319, #3308).

v1.17.0

This is a minor release packaging rkt-api systemd service units, and fixing a bug caused by overly long lines in generated stage1 unit files.

New features and UX changes

• dist: Add systemd rkt-api service and socket (#3271).
• dist: package rkt-api unit files (#3275).

Bug fixes

• stage1: break down overlong property lines (#3279).

Other changes

• stage0: fix typo and some docstring style (#3266).
• stage0: Create an mtab symlink if not present (#3265).
• stage1: use systemd protection for kernel tunables (#3273).
• Documentation updates: (#3280, #3263, #3268, #3254, #3199, #3256)

v1.16.0

This release contains an important bugfix for the stage1-host flavor, as well as initial internal support for cgroup2 and pod sandboxes as specified by kubernetes CRI (Container Runtime Interface).

Bug fixes

• stage1/host: fix systemd-nspawn args ordering (#3216). Fixes #3215.

New features

• rkt: support for unified cgroups (cgroup2) (#3032). This implements support for cgroups v2 along support for legacy version.
• cri: initial implementation of stage1 changes (#3218). This PR pulls the stage1-based changes from the CRI branch back into
  master, leaving out the changes in stage0 (new app subcommands).

Other changes

• doc/using-rkt-with-systemd: fix the go app example (#3217).
• rkt: refactor app-level flags handling (#3209). This is in preparation for #3205
• docs/distributions: rearrange, add centos (#3212).
• rkt: Correct typos listed by the tool misspell (#3208).

v1.15.0

This relase brings some expanded DNS configuration options, beta support for QEMU, recursive volume mounts, and improved sd_notify support.

Major changes:

• DNS configuration improvements (#3161):
  • Respect DNS results from CNI
  • Add --dns=host mode to bind-mount the host's /etc/resolv.conf
  • Add --dns=none mode to ignore CNI DNS
  • Add --hosts-entry (IP=HOSTNAME) to tweak the pod's /etc/hosts
  • Add --hosts-entry=host to bind-mount the host's /etc/hosts
• Introduce QEMU support as an alternative KVM hypervisor (#2952)
• add support for recursive volume/mounts (#2880)
• stage1: allow sd_notify from the app in the container to the host (#2826).

v1.14.0

This release updates the coreos and kvm flavors, bringing in a newer stable systemd (v231). Several fixes and cgroups-related changes landed in api-service, and better heuristics have been introduced to avoid using overlays in non-supported environments. Finally, run-prepared now honors options for insecure/privileged pods too.

New features and UX changes

• stage1: update to CoreOS 1151.0.0 and systemd v231 (#3122).
• common: fall back to non-overlay with ftype=0 (#3105).
• rkt: honor insecure-options in run-prepared (#3138).

Bug fixes

• stage0: fix golint warnings (#3099).
• rkt: avoid possible panic in api-server (#3111).
• rkt/run: allow --set-env-file files with comments (#3115).
• scripts/install-rkt: add wget as dependency (#3124).
• install-rkt.sh: scripts: Fix missing files in .deb when using install-rkt.sh (#3127).
• tests: check for run-prepared with insecure options (#3139).

Other changes

• seccomp/docker: update docker whitelist to include mlock (#3126). This updates the @docker/default-whitelist to include mlock-related
  syscalls (mlock, mlock2, mlockall).
• build: add PowerPC (#2936).
• scripts: install-rkt.sh: fail install-pak on errors (#3150). When install-pak (called from install-rkt.sh) fails at some point
  abort packaging.
• api_service: Rework cgroup detection (#3072). Use the subcgroup file hint provided by some stage1s rather than
  machined registration.
• Documentation/devel: add make images target (#3142). This introduces the possibility to generate graphivz based PNG images using
  a new images make target.
• vendor: update appc/spec to 0.8.7 (#3143).
• stage1/kvm: avoid writing misleading subcgroup (#3107).
• vendor: update go-systemd to v12 (#3125).
• scripts: bump coreos.com/rkt/builder image version (#3092). This bumps rkt-builder version to 1.0.2, in order to work with
  seccomp filtering.
• export: test export for multi-app pods (#3075).
• Documentation updates: (#3146, #2954, #3128, #2953, #3103, #3087, #3097, #3096, #3095, #3089)

v1.13.0

This release introduces support for exporting single applications out of multi-app pods. Moreover, it adds additional support to control device manipulation inside pods. Finally all runtime security features can now be optionally disabled at the pod level via new insecure options. This version also contains multiple bugfixes and supports Go 1.7.

New features and UX changes

• export: name flag for exporting multi-app pods (#3030).
• stage1: limit device node creation/reading/writing with DevicePolicy= and DeviceAllow= (#3027, #3058).
• rkt: implements --insecure-options={capabilities,paths,seccomp,run-all} (#2983).

Bug fixes

• kvm: use a properly formatted comment for iptables chains (#3038). rkt was using the chain name as comment, which could lead to confusion.
• pkg/label: supply mcsdir as function argument to InitLabels() (#3045).
• api_service: improve machined call error output (#3059).
• general: fix old appc/spec version in various files (#3055).
• rkt/pubkey: use custom http client including timeout (#3084).
• dist: remove quotes from rkt-api.service ExecStart (#3079).
• build: multiple fixes (#3042, #3041, #3046).
• configure: disable tests on host flavor with systemd <227 (#3047).

Other changes

• travis: add go 1.7, bump go 1.5/1.6 (#3077).
• api_service: Add lru cache to cache image info (#2910).
• scripts: add curl as build dependency (#3070).
• vendor: use appc/spec 0.8.6 and k8s.io/kubernetes v1.3.0 (#3063).
• common: use fileutil.IsExecutable() (#3023).
• build: Stop printing irrelevant invalidation messages (#3050).
• build: Make generating clean files simpler to do (#3057).
• Documentation: misc changes (#3053, #2911, #3035, #3036, #3037, #2945, #3083, #3076, #3033, #3064, #2932).
• functional tests: misc fixes (#3049).

v1.12.0

This release introduces support for seccomp filtering via two new seccomp isolators. It also gives a boost to api-service performance by introducing manifest caching. Finally it fixes several regressions related to Docker images handling.

New features and UX changes

• cli: rename --cap-retain and --cap-remove to --caps-* (#2994).
• stage1: apply seccomp isolators (#2753). This introduces support for appc seccomp isolators.
• scripts: add /etc/rkt owned by group rkt-admin in setup-data-dir.sh (#2944).
• rkt: add --caps-retain and --caps-remove to prepare (#3007).
• store: allow users in the rkt group to delete images (#2961).
• api_service: cache pod manifest (#2891). Manifest caching considerably improves api-service performances.
• store: tell the user to run as root on db update (#2966).
• stage1: disabling cgroup namespace in systemd-nspawn (#2989). For more information see systemd#3589.
• fly: copy rkt-resolv.conf in the app (#2982).
• store: decouple aci store and treestore implementations (#2919).
• store: record ACI fetching information (#2960).

Bug fixes

• stage1/init: fix writing of /etc/machine-id (#2977).
• rkt-monitor: multiple fixes (#2927, #2988).
• rkt: don't errwrap cli_apps errors (#2958).
• pkg/tar/chroot: avoid errwrap in function called by multicall (#2997).
• networking: apply CNI args to the default networks as well (#2985).
• trust: provide InsecureSkipTLSCheck to pubkey manager (#3016).
• api_service: update grpc version (#3015).
• fetcher: httpcaching fixes (#2965).

Other changes

• build,stage1/init: set interpBin at build time for src flavor (#2978).
• common: introduce RemoveEmptyLines() (#3004).
• glide: update docker2aci to v0.12.3 (#3026). This fixes multiple bugs in layers ordering for Docker images.
• glide: update go-systemd to v11 (#2970). This fixes a buggy corner-case in journal seeking (implicit seek to head).
• docs: document capabilities overriding (#2917, #2991).
• issue template: add '\n' to the end of environment output (#3008).
• functional tests: multiple fixes (#2999, #2979, #3014).