v0.12.0

rkt v0.12.0 is an incremental release with UX improvements like fine-grained security controls and implicit generation of empty volumes, performance improvements, bug fixes and testing enhancements.

New features and UX changes

• implement rkt cat-manifest for pods (#1744)
• generate an empty volume if a required one is not provided (#1753)
• make disabling security features granular; --insecure-skip-verify is now --insecure-options={feature(s)-to-disable} (#1738). See rkt's Global Options documentation.
• allow skipping the on-disk integrity check using --insecure-options=ondisk. This greatly speeds up start time. (#1804)
• set empty volumes' permissions following the spec (1803)
• flannel networking support in kvm flavor (#1563)

Bug fixes

• store used MCS contexts on the filesystem (#1742)
• fix Docker images with whiteout-ed hard links (#1653)
• fix Docker images relying on /dev/stdout (#1617)
• use authentication for discovery and trust (#1801)
• fix build in Docker (#1798)
• fix kvm networking (#1530)

Improved testing

• add functional tests for rkt api service (#1761)
• fix TestSocketActivation on systemd-v219 (#1768)
• fix the ACE validator test (#1802)

Other changes

• Bumped appc spec to 0.7.3 (#1800)

v0.11.0

rkt v0.11.0 is an incremental release with mostly bug fixes and testing improvements.

New features and UX changes

• support resuming ACI downloads (#1444)
• rkt image gc now also removes images from the store (#1697)

Build

• handle building multiple flavors (#1683)
• verbosity control (#1685, #1686)
• fix bugs in make clean (#1695)

Improved testing

• nicer output in tests (#1698)
• refactor test code (#1709)
• skip CI tests when the source was not modified (#1619)
• better output when tests fail (#1728)
• fix tests in 10.* IP range (#1736)
• document how to run functional tests (#1736)

Improved documentation

• add some help on how to run rkt as a daemon (#1684)

API service

• do not return manifest in ListPods() and ListImages() (#1688)

Bug fixes

• parameter --mount fixed in kvm flavour (#1687)
• fix rkt leaking containers in machinectl on CoreOS (#1694, #1704)
• rkt status now returns the stage1 pid (#1699)
• fix crash in rkt status when an image is removed (#1701)
• fix fd leak in store (#1716)
• fix exec line parsing in ACI manifest (#1652)
• fix build on 32-bit systems (#1729)

v0.10.0

v0.10.0

rkt v0.10.0 is an incremental release with numerous bug fixes and a few small new features and UX improvements.

New features and UX changes

• added implementation for basic API service (rkt api-service) (#1508)
• mount arbitrary volumes with --mount (#1582, #1678)
• --net=none only exposes the loopback interface (#1635)
• better formatting for rkt help (#1597)
• metadata service registration (--mds-register) disabled by default (#1635)

Improved documentation

• compare rkt and other projects (#1588)
• Stage 1 systemd Architecture (#1631)
• packaging rkt in Linux distributions (#1511)

Improved testing

• new test for user namespaces (--private-users) (#1580)
• fix races in tests (#1608)

Bug fixes

• suppress unnecessary output when --debug is not used (#1557)
• fix permission of rootfs with overlayfs (#1607)
• allow relative path in parameters (#1615)
• fix pod garbage collection failure in some cases (#1621)
• fix rkt list when an image was removed (#1655)
• user namespace (--private-users) regression with rkt group fixed (1654)

v0.9.0

v0.9.0

rkt v0.9.0 is a significant milestone release with a number of internal and user-facing changes.

There are several notable breaking changes from the previous release:

• The on-disk format for pod trees has changed slightly, meaning that rkt gc and rkt run-prepared may not work for pods created by previous versions of rkt. To work around this, we recommend removing the pods with an older version of rkt.
• The --private-net flag has been renamed to --net and its semantic has changed (in particular, it is now enabled by default) - see below for details.
• Several changes to CLI output (e.g. column names) from the rkt list and rkt image list subcommands.
• The image fetching behaviour has changed, with the introduction of new flags to rkt run and rkt fetch and the removal of --local - see below for details.

New features and UX changes

--private-net --> --net, and networking is now private by default

The --private-net flag has been changed to --net, and has been now made the default behaviour. (#1532, #1418)
That is, a rkt run command will now by default set up a private network for the pod.
To achieve the previous default behaviour of the pod sharing the networking namespace of the host, use --net=host.
The flag still allows the specification of multiple networks via CNI plugins, and overriding plugin configuration on a per-network basis.
For more details, see the networking documentation.

New image fetching behaviour

When fetching images during rkt fetch or rkt run, rkt would previously behave inconsistently for different formats (e.g when performing discovery or when retrieving a Docker image) when deciding whether to use a cached version or not.
rkt run featured a --local flag to adjust this behaviour but it provided an unintuitive semantic and was not available to the rkt fetch command.
Instead, rkt now features two new flags, --store-only and --no-store, on both the rkt fetch and rkt run commands, to provide more consistent, controllable, and predictable behaviour regarding when images should be retrieved.
For full details of the new behaviour see the image fetching documentation.

Unprivileged users

A number of changes were made to the permissions of rkt's internal store to facilitate unprivileged users to access information about images and pods on the system (#1542, #1569).
In particular, the set-group-ID bit is applied to the directories touched by rkt install so that the rkt group (if it exists on the system) can retain read-access to information about pods and images.
This will be used by the rkt API service (targeted for the next release) so that it can run as an unprivileged user on the system.
This support is still considered partially experimental.
Some tasks like rkt image gc remain a root-only operation.

/etc/hosts support

If no /etc/hosts exists in an application filesystem at the time it starts running, rkt will now provide a basic default version of this file.
If rkt detects one already in the app's filesystem (whether through being included in an image, or a volume mounted in), it will make no changes. (#1541)

Other new features

• rkt now supports setting supplementary group IDs on processes (#1514).
• rkt's use of cgroups has been reworked to facilitate rkt running on a variety of operating systems like Void and older non-systemd distributions (#1437, #1320, #1076, #1042)
• If rkt run is used with an image that does not have an app section, rkt will now create one if the user provides an --exec flag (#1427)
• A new rkt image gc command adds initial support for garbage collecting images from the store (#1487). This removes treeStores not referenced by any non-GCed rkt pod.
• rkt list now provides more information including image version and hash (#1559)
• rkt image list output now shows shortened hash identifiers by default, and human readable date formats.
  To use the previous output format, use the --full flag. (#1455)
• rkt prepare gained the --exec flag, which restores flag-parity with rkt run (#1410)
• lkvm stage1 backend has experimental support for rkt enter (#1303)
• rkt now supports empty volume types (#1502)
• An early, experimental read-only API definition has been added (#1359, #1518).

Bug fixes

• Fixed bug in --stage1-image option which prevented it from using URLs (#1524)
• Fixed bug in rkt trust's handling of --root (#1494)
• Fixed bug when decompressing xz-compressed images (#1462, #1224)
• In earlier versions of rkt, hooks had an implicit timeout of 30 seconds, causing some pre-start jobs which took a long time to be killed. This implicit timeout has been removed. (#1547)
• When running with the lkvm stage1, rkt now sets $HOME if it is not already set, working around a bug in the lkvm tool (#1447, #1393)
• Fixed bug preventing run-prepared from working if the metadata service was not available (#1436)

Other changes

• Bumped appc spec to 0.7.1 (#1543)
• Bumped CNI and netlink dependencies (#1476)
• Bumped ioprogress to a version which prevents the download bar from being drawn when rkt is not drawing to a terminal (#1423, #1282)
• Significantly reworked rkt's internal use of systemd to orchestrate apps, which should facilitate more granular control over pod lifecycles (#1407)
• Reworked rkt's handling of images with non-deterministically dependencies (#1240, #1198).
• rkt functional tests now run appc's ACE validator, which should ensure that rkt is always compliant with the specification. (#1473)
• A swathe of improvements to the build system
  • make clean should now work
  • Different rkt stage1 images are now built with different names (#1406)
  • rkt can now build on older Linux distributions (like CentOS 6) (#1529)
• Various internal improvements to the functional test suite to improve coverage and consolidate code
• The "ACI" field header in rkt image output has been changed to "IMAGE NAME"
• rkt image rm now exits with status 1 on any failure (#1486)
• Fixed permissions in the default stage1 image (#1503)
• Added documentation for prepare and run-prepared subcommands (#1526)
• rkt should now report more helpful errors when encountering manifests it does not understand (#1471)

v0.8.1

While the noticeable changes should be minimal, there are a huge number of bug fixes and improvements under the hood which sets us up nicely for a significant v0.9.0 release in the next couple of weeks.

A few notable UX changes in this release:

• Arguments can now be passed through to CNI plugins on the command line - see the networking documentation for details
• The default metadata service port has been changed from 2375 (which had an unfortunate conflict with an IANA registered/reserved port) to an arbitrary non-registered port, 18112
• The APPNAME field in the output of rkt image list has been changed to the more accurate NAME
• rkt rm now supports a variable number of arguments, allowing the removal of multiple pods simultaneously

Full list of changes:

• New features and UX changes:
  • rkt rm is now variadic: it can now remove multiple pods in one command, by UUID
  • The APPNAME column in rkt image list output has been changed to the more accurate NAME. This involves a schema change in rkt's on-disk datastore, but this should be upgraded transparently.
  • Headers are now sent when following HTTP redirects while trying to retrieve an image
  • The default metadata service port number was changed from a registered/reserved IANA port to an arbitrary port in the non-dynamic range
  • Added the ability to override arguments for network plugins
  • rkt will now error out if someone attempts to use --private-users with the lkvm backend
• Bug fixes:
  • Fixed creation of /tmp in apps' root filesystems with correct permissions
  • Fixed garbage collection after umounts (for example, if a system reboots before a pod is cleanly destroyed)
  • Fixed a race in interactive mode when using the lkvm backend that could cause a deadlock or segfault
  • Fixed bad parameter being passed to the metadata service ("uid" -> "uuid")
  • Fixed setting of file permissions during stage1 set up
  • Fixed a potential race condition during simultaneous iptables invocation
  • Fixed ACI download progress being sent to stderr instead of stdout, now consistent with the output during retrieval of Docker images
  • rkt help prepare will now show the correct default stage1 image
  • rkt will refuse to add isolators with nil Limits, preventing a panic caused by an ambiguity in upstream appc schema
• Other changes:
  • Reworked the SELinux implementation to use systemd-nspawn's native context-switching feature
  • Added a workaround for a bug in Docker <1.8 when it is run on the same system as rkt (see #1210 (comment))
  • Added a rkt-xxxx-tapN name to tap devices that rkt creates
  • Functional tests now clean intermediate images between tests
  • Countless improvements and cleanup to the build system
  • Numerous documentation improvements, including splitting out all top-level rkt subcommands into their own documents

v0.8.0

rkt 0.8.0 includes support for running containers under an LKVM hypervisor and experimental user namespace support. A blog post explaining the features can be found here: https://coreos.com/blog/rkt-0.8-with-new-vm-support/

Full changelog:

• Documentation improvements
• Better integration with systemd:
  • journalctl -M
  • machinectl {reboot,poweroff}
• Update stage1's systemd to v222
• Add more functional tests
• Build system improvements
• Fix bugs with garbage-collection
• LKVM stage1 support with network and volumes
• Smarter image discovery: ETag and Cache-Control support
• Add CNI DHCP plugin
• Add CNI flannel plugin
• Support systemd socket activation
• Backup CAS database when migrating
• Improve error messages
• Add the ability to override ACI exec
• Optimize rkt startup times when a stage1 is present in the store
• Trust keys fetched via TLS by default
• Add the ability to garbage-collect a specific pod
• Add experimental user namespace support
• Bugfixes

v0.8.0-rc1

rkt 0.8.0-rc1 includes support for running containers under an LKVM hypervisor
and experimental user namespace support.

Full changelog:

• Documentation improvements
• Better integration with systemd:
  • journalctl -M
  • machinectl {reboot,poweroff}
• Update stage1's systemd to v222
• Add more functional tests
• Build system improvements
• Fix bugs with garbage-collection
• LKVM stage1 support with network and volumes
• Smarter image discovery: ETag and Cache-Control support
• Add CNI DHCP plugin
• Support systemd socket activation
• Backup CAS database when migrating
• Improve error messages
• Add the ability to override ACI exec
• Optimize rkt startup times when a stage1 is present in the store
• Trust keys fetched via TLS by default
• Add the ability to garbage-collect a specific pod
• Add experimental user namespace support
• Bugfixes

v0.7.0

rkt 0.7.0 includes new subcommands for rkt image to manipulate images from the local store.

It also has a new build system based on autotools and integration with SELinux.

Full changelog:

• New subcommands for rkt image: extract, render and export
• Metadata service:
  • Auth now based on tokens
  • Registration done by default, unless --mds-register=false is passed
• Build:
  • Remove support for Go 1.3
  • Replace build system with autoconf and make
• Network: fixes for plugins related to mnt namespace
• Signature: clearer error messages
• Security:
  • Support for SELinux
  • Check signature before downloading
• Commands: fix error messages and parameter parsing
• Output: reduce output verbosity
• Systemd integration: fix stop bug
• Tests: Improve tests output

v0.6.1

The highlight of this release is the support of per-app memory and CPU
isolators. This means that, in addition to restricting a pod’s CPU and memory
usage, individual apps inside a pod can also be restricted now.

rkt 0.6.1 also includes a new CLI/subcommand framework, more functional testing
and journalctl integration by default.

Notes:

• Due to changes in the spec ACIs generated with old versions of it might need to be rebuilt.
• As a consequence of using the new CLI/subcommand framework, long forms of command line options have to be prefixed by -- and, if they receive an argument, it should be separated from the option with =. For example: use --foo=bar instead of --foo bar or -foo=bar.

Full changelog:

• Updated to v0.6.1 of the appc spec
• support per-app memory and CPU isolators
• allow network selection to the --private-net flag which can be useful for
  grouping certain pods together while separating others
• move to the Cobra CLI/subcommand framework
• per-app logging via journalctl now supported by default
• stage1 runs an unpatched systemd v220
• to help packagers, rkt can generate stage1 from the binaries on the host at
  runtime
• more functional tests
• bugfixes

v0.5.6

rkt 0.5.6 includes better integration with systemd on the host, some minor bug fixes and a new ipvlan network plugin.

Full changelog:

• Updated to v0.5.2 of the appc spec
• support running from systemd unit files for top-level isolation
• support per-app logging via journalctl. This is only supported if stage1 has systemd v219 or v220
• add ipvlan network plugin
• new rkt subcommand: cat-manifest
• extract ACI in a chroot to avoid malformed links modifying the host filesystem
• improve rkt error message if the user doesn’t provide required volumes
• fix rkt status when using overlayfs
• support for some arm architectures
• documentation improvements