github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/CHANGELOG.md (about) 1 ## v0.10.0 2 3 rkt v0.10.0 is an incremental release with numerous bug fixes and a few small new features and UX improvements. 4 5 #### New features and UX changes 6 7 - added implementation for basic API service (`rkt api-service`) (#1508) 8 - mount arbitrary volumes with `--mount` (#1582, #1678) 9 - `--net=none` only exposes the loopback interface (#1635) 10 - better formatting for rkt help (#1597) 11 - metadata service registration (`--mds-register`) disabled by default (#1635) 12 13 #### Improved documentation 14 - [compare rkt and other projects](https://github.com/coreos/rkt/blob/master/Documentation/rkt-vs-other-projects.md) (#1588) 15 - [Stage 1 systemd Architecture](https://github.com/coreos/rkt/blob/master/Documentation/devel/architecture.md) (#1631) 16 - [packaging rkt in Linux distributions](https://github.com/coreos/rkt/blob/master/Documentation/packaging.md) (#1511) 17 18 #### Improved testing 19 - new test for user namespaces (`--private-users`) (#1580) 20 - fix races in tests (#1608) 21 22 #### Bug fixes 23 - suppress unnecessary output when `--debug` is not used (#1557) 24 - fix permission of rootfs with overlayfs (#1607) 25 - allow relative path in parameters (#1615) 26 - fix pod garbage collection failure in some cases (#1621) 27 - fix `rkt list` when an image was removed (#1655) 28 - user namespace (`--private-users`) regression with rkt group fixed (1654) 29 30 ## v0.9.0 31 32 rkt v0.9.0 is a significant milestone release with a number of internal and user-facing changes. 33 34 There are several notable breaking changes from the previous release: 35 - The on-disk format for pod trees has changed slightly, meaning that `rkt gc` and `rkt run-prepared` may not work for pods created by previous versions of rkt. To work around this, we recommend removing the pods with an older version of rkt. 36 - The `--private-net` flag has been renamed to `--net` and its semantic has changed (in particular, it is now enabled by default) - see below for details. 37 - Several changes to CLI output (e.g. column names) from the `rkt list` and `rkt image list` subcommands. 38 - The image fetching behaviour has changed, with the introduction of new flags to `rkt run` and `rkt fetch` and the removal of `--local` - see below for details. 39 40 #### New features and UX changes 41 42 ###### `--private-net` --> `--net`, and networking is now private by default 43 The `--private-net` flag has been changed to `--net`, and has been now made the default behaviour. (#1532, #1418) 44 That is, a `rkt run` command will now by default set up a private network for the pod. 45 To achieve the previous default behaviour of the pod sharing the networking namespace of the host, use `--net=host`. 46 The flag still allows the specification of multiple networks via CNI plugins, and overriding plugin configuration on a per-network basis. 47 For more details, see the [networking documentation](Documentation/networking.md). 48 49 ###### New image fetching behaviour 50 When fetching images during `rkt fetch` or `rkt run`, rkt would previously behave inconsistently for different formats (e.g when performing discovery or when retrieving a Docker image) when deciding whether to use a cached version or not. 51 `rkt run` featured a `--local` flag to adjust this behaviour but it provided an unintuitive semantic and was not available to the `rkt fetch` command. 52 Instead, rkt now features two new flags, `--store-only` and `--no-store`, on both the `rkt fetch` and `rkt run` commands, to provide more consistent, controllable, and predictable behaviour regarding when images should be retrieved. 53 For full details of the new behaviour see the [image fetching documentation](Documentation/image-fetching-behavior.md). 54 55 ###### Unprivileged users 56 A number of changes were made to the permissions of rkt's internal store to facilitate unprivileged users to access information about images and pods on the system (#1542, #1569). 57 In particular, the set-group-ID bit is applied to the directories touched by `rkt install` so that the `rkt` group (if it exists on the system) can retain read-access to information about pods and images. 58 This will be used by the rkt API service (targeted for the next release) so that it can run as an unprivileged user on the system. 59 This support is still considered partially experimental. 60 Some tasks like `rkt image gc` remain a root-only operation. 61 62 ###### /etc/hosts support 63 If no `/etc/hosts` exists in an application filesystem at the time it starts running, rkt will now provide a basic default version of this file. 64 If rkt detects one already in the app's filesystem (whether through being included in an image, or a volume mounted in), it will make no changes. (#1541) 65 66 ##### Other new features 67 - rkt now supports setting supplementary group IDs on processes (#1514). 68 - rkt's use of cgroups has been reworked to facilitate rkt running on a variety of operating systems like Void and older non-systemd distributions (#1437, #1320, #1076, #1042) 69 - If `rkt run` is used with an image that does not have an app section, rkt will now create one if the user provides an `--exec` flag (#1427) 70 - A new `rkt image gc` command adds initial support for garbage collecting images from the store (#1487). This removes treeStores not referenced by any non-GCed rkt pod. 71 - `rkt list` now provides more information including image version and hash (#1559) 72 - `rkt image list` output now shows shortened hash identifiers by default, and human readable date formats. 73 To use the previous output format, use the `--full` flag. (#1455) 74 - `rkt prepare` gained the `--exec` flag, which restores flag-parity with `rkt run` (#1410) 75 - lkvm stage1 backend has experimental support for `rkt enter` (#1303) 76 - rkt now supports empty volume types (#1502) 77 - An early, experimental read-only API definition has been added (#1359, #1518). 78 79 #### Bug fixes 80 - Fixed bug in `--stage1-image` option which prevented it from using URLs (#1524) 81 - Fixed bug in `rkt trust`'s handling of `--root` (#1494) 82 - Fixed bug when decompressing xz-compressed images (#1462, #1224) 83 - In earlier versions of rkt, hooks had an implicit timeout of 30 seconds, causing some pre-start jobs which took a long time to be killed. This implicit timeout has been removed. (#1547) 84 - When running with the lkvm stage1, rkt now sets `$HOME` if it is not already set, working around a bug in the lkvm tool (#1447, #1393) 85 - Fixed bug preventing `run-prepared` from working if the metadata service was not available (#1436) 86 87 #### Other changes 88 - Bumped appc spec to 0.7.1 (#1543) 89 - Bumped CNI and netlink dependencies (#1476) 90 - Bumped ioprogress to a version which prevents the download bar from being drawn when rkt is not drawing to a terminal (#1423, #1282) 91 - Significantly reworked rkt's internal use of systemd to orchestrate apps, which should facilitate more granular control over pod lifecycles (#1407) 92 - Reworked rkt's handling of images with non-deterministically dependencies (#1240, #1198). 93 - rkt functional tests now run appc's ACE validator, which should ensure that rkt is always compliant with the specification. (#1473) 94 - A swathe of improvements to the build system 95 - `make clean` should now work 96 - Different rkt stage1 images are now built with different names (#1406) 97 - rkt can now build on older Linux distributions (like CentOS 6) (#1529) 98 - Various internal improvements to the functional test suite to improve coverage and consolidate code 99 - The "ACI" field header in `rkt image` output has been changed to "IMAGE NAME" 100 - `rkt image rm` now exits with status 1 on any failure (#1486) 101 - Fixed permissions in the default stage1 image (#1503) 102 - Added documentation for `prepare` and `run-prepared` subcommands (#1526) 103 - rkt should now report more helpful errors when encountering manifests it does not understand (#1471) 104 105 106 ## v0.8.1 107 108 rkt v0.8.1 is an incremental release with numerous bug fixes and clean-up to the build system. It also introduces a few small new features and UX improvements. 109 110 - New features and UX changes: 111 - `rkt rm` is now variadic: it can now remove multiple pods in one command, by UUID 112 - The `APPNAME` column in `rkt image list` output has been changed to the more accurate `NAME`. This involves a schema change in rkt's on-disk datastore, but this should be upgraded transparently. 113 - Headers are now sent when following HTTP redirects while trying to retrieve an image 114 - The default metadata service port number was changed from a registered/reserved IANA port to an arbitrary port in the non-dynamic range 115 - Added the ability to override arguments for network plugins 116 - rkt will now error out if someone attempts to use `--private-users` with the lkvm backend 117 - Bug fixes: 118 - Fixed creation of /tmp in apps' root filesystems with correct permissions 119 - Fixed garbage collection after umounts (for example, if a system reboots before a pod is cleanly destroyed) 120 - Fixed a race in interactive mode when using the lkvm backend that could cause a deadlock or segfault 121 - Fixed bad parameter being passed to the metadata service ("uid" -> "uuid") 122 - Fixed setting of file permissions during stage1 set up 123 - Fixed a potential race condition during simultaneous `iptables` invocation 124 - Fixed ACI download progress being sent to stderr instead of stdout, now consistent with the output during retrieval of Docker images 125 - `rkt help prepare` will now show the correct default stage1 image 126 - rkt will refuse to add isolators with nil Limits, preventing a panic caused by an ambiguity in upstream appc schema 127 - Other changes: 128 - Reworked the SELinux implementation to use `systemd-nspawn`'s native context-switching feature 129 - Added a workaround for a bug in Docker <1.8 when it is run on the same system as rkt (see https://github.com/coreos/rkt/issues/1210#issuecomment-132793300) 130 - Added a `rkt-xxxx-tapN` name to tap devices that rkt creates 131 - Functional tests now clean intermediate images between tests 132 - Countless improvements and cleanup to the build system 133 - Numerous documentation improvements, including splitting out all top-level `rkt` subcommands into their own documents 134 135 ## v0.8.0 136 137 rkt 0.8.0 includes support for running containers under an LKVM hypervisor 138 and experimental user namespace support. 139 140 Full changelog: 141 142 - Documentation improvements 143 - Better integration with systemd: 144 - journalctl -M 145 - machinectl {reboot,poweroff} 146 - Update stage1's systemd to v222 147 - Add more functional tests 148 - Build system improvements 149 - Fix bugs with garbage-collection 150 - LKVM stage1 support with network and volumes 151 - Smarter image discovery: ETag and Cache-Control support 152 - Add CNI DHCP plugin 153 - Support systemd socket activation 154 - Backup CAS database when migrating 155 - Improve error messages 156 - Add the ability to override ACI exec 157 - Optimize rkt startup times when a stage1 is present in the store 158 - Trust keys fetched via TLS by default 159 - Add the ability to garbage-collect a specific pod 160 - Add experimental user namespace support 161 - Bugfixes 162 163 ## v0.7.0 164 165 rkt 0.7.0 includes new subcommands for `rkt image` to manipulate images from 166 the local store. 167 168 It also has a new build system based on autotools and integration with SELinux. 169 170 Full changelog: 171 172 - New subcommands for `rkt image`: extract, render and export 173 - Metadata service: 174 - Auth now based on tokens 175 - Registration done by default, unless --mds-register=false is passed 176 - Build: 177 - Remove support for Go 1.3 178 - Replace build system with autoconf and make 179 - Network: fixes for plugins related to mnt namespace 180 - Signature: clearer error messages 181 - Security: 182 - Support for SELinux 183 - Check signature before downloading 184 - Commands: fix error messages and parameter parsing 185 - Output: reduce output verbosity 186 - Systemd integration: fix stop bug 187 - Tests: Improve tests output 188 189 ## v0.6.1 190 191 The highlight of this release is the support of per-app memory and CPU 192 isolators. This means that, in addition to restricting a pod’s CPU and memory 193 usage, individual apps inside a pod can also be restricted now. 194 195 rkt 0.6.1 also includes a new CLI/subcommand framework, more functional testing 196 and journalctl integration by default. 197 198 Full changelog: 199 200 * Updated to v0.6.1 of the appc spec 201 * support per-app memory and CPU isolators 202 * allow network selection to the --private-net flag which can be useful for 203 grouping certain pods together while separating others 204 * move to the Cobra CLI/subcommand framework 205 * per-app logging via journalctl now supported by default 206 * stage1 runs an unpatched systemd v220 207 * to help packagers, rkt can generate stage1 from the binaries on the host at 208 runtime 209 * more functional tests 210 * bugfixes 211 212 ## v0.5.6 213 214 rkt 0.5.6 includes better integration with systemd on the host, some minor bug 215 fixes and a new ipvlan network plugin. 216 217 - Updated to v0.5.2 of the appc spec 218 - support running from systemd unit files for top-level isolation 219 - support per-app logging via journalctl. This is only supported if stage1 has 220 systemd v219 or v220 221 - add ipvlan network plugin 222 - new rkt subcommand: cat-manifest 223 - extract ACI in a chroot to avoid malformed links modifying the host 224 filesystem 225 - improve rkt error message if the user doesn’t provide required volumes 226 - fix rkt status when using overlayfs 227 - support for some arm architectures 228 - documentation improvements 229 230 231 ## v0.5.5 232 233 rkt 0.5.5 includes a move to [cni](https://github.com/appc/cni) network 234 plugins, a number of minor bug fixes and two new experimental commands for 235 handling images: `rkt images` and `rkt rmimage`. 236 237 Full changelog: 238 - switched to using [cni](https://github.com/appc/cni) based network plugins 239 - fetch images dependencies recursively when ACIs have dependent images 240 - fix the progress bar used when downloading images with no content-length 241 - building the initial stage1 can now be done on various versions of systemd 242 - support retrying signature downloads in the case of a 202 243 - remove race in doing a rkt enter 244 - various documentation fixes to getting started and other guides 245 - improvements to the functional testing using a new gexpect, testing for 246 non-root apps, run context, port test, and more 247 248 249 ## v0.5.4 250 251 rkt 0.5.4 introduces a number of new features - repository authentication, 252 per-app arguments + local image signature verification, port forwarding and 253 more. Further, although we aren't yet guaranteeing API/ABI stability between 254 releases, we have added important work towards this goal including functional 255 testing and database migration code. 256 257 This release also sees the removal of the `--spawn-metadata-svc` flag to 258 `rkt run`. The flag was originally provided as a convenience, making it easy 259 for users to get started with the metadata service. In rkt v0.5.4 we removed 260 it in favor of explicitly starting it via `rkt metadata-service` command. 261 262 Full changelog: 263 - added configuration support for repository authentication (HTTP Basic Auth, 264 OAuth, and Docker repositories). Full details in 265 `Documentation/configuration.md` 266 - `rkt run` now supports per-app arguments and per-image `--signature` 267 specifications 268 - `rkt run` and `rkt fetch` will now verify signatures for local image files 269 - `rkt run` with `--private-net` now supports port forwarding (using 270 `--port=NAME:1234`) 271 - `rkt run` now supports a `--local` flag to use only local images (i.e. no 272 discovery or remote image retrieval will be performed) 273 - added initial support for running directly from a pod manifest 274 - the store DB now supports migrations for future versions 275 - systemd-nspawn machine names are now set to pod UUID 276 - removed the `--spawn-metadata-svc` option from `rkt run`; this mode was 277 inherently racy and really only for convenience. A separate 278 `rkt metadata-service` invocation should be used instead. 279 - various internal codebase refactoring: "cas" renamed to "store", tasks to 280 encapsulate image fetch operations, etc 281 - bumped docker2aci to support authentication for Docker registries and fix a 282 bug when retrieving images from Google Container Registry 283 - fixed a bug where `--interactive` did not work with arguments 284 - garbage collection for networking is now embedded in the stage1 image 285 - when rendering images into the treestore, a global syncfs() is used instead 286 of a per-file sync(). This should significantly improve performance when 287 first extracting large images 288 - added extensive functional testing on semaphoreci.com/coreos/rkt 289 - added a test-auth-server to facilitate testing of fetching images 290 291 292 ## v0.5.3 293 This release contains minor updates over v0.5.2, notably finalising the move to 294 pods in the latest appc spec and becoming completely name consistent on `rkt`. 295 - {Container,container} changed globally to {Pod,pod} 296 - {Rocket,rocket} changed globally to `rkt` 297 - `rkt install` properly sets permissions for all directories 298 - `rkt fetch` leverages the cas.Store TmpDir/TmpFile functions (now exported) 299 to generate temporary files for downloads 300 - Pod lifecycle states are now exported for use by other packages 301 - Metadata service properly synchronizes access to pod state 302 303 304 ## v0.5.2 305 306 This release is a minor update over v0.5.1, incorporating several bug fixes and 307 a couple of small new features: 308 - `rkt enter` works when overlayfs is not available 309 - `rkt run` now supports the `--no-overlay` option referenced (but not 310 implemented!) in the previous release 311 - the appc-specified environment variables (PATH, HOME, etc) are once again set 312 correctly during `rkt run` 313 - metadata-service no longer manipulates IP tables rules as it connects over a 314 unix socket by default 315 - pkg/lock has been improved to also support regular (non-directory) files 316 - images in the cas are now locked at runtime (as described in #460) 317 318 319 ## v0.5.1 320 321 This release updates Rocket to follow the latest version of the appc spec, 322 v0.5.1. This involves the major change of moving to _pods_ and _Pod Manifests_ 323 (which enhance and supplant the previous _Container Runtime Manifest_). The 324 Rocket codebase has been updated across the board to reflect the schema/spec 325 change, as well as changing various terminology in other human-readable places: 326 for example, the previous ambiguous (unqualified) "container" is now replaced 327 everywhere with "pod". 328 329 This release also introduces a number of key features and minor changes: 330 - overlayfs support, enabled for `rkt run` by default (disable with 331 `--no-overlayfs`) 332 - to facilitate overlayfs, the CAS now features a tree store which stores 333 expanded versions of images 334 - the default stage1 (based on systemd) can now be built from source, instead 335 of only derived from an existing binary distribution as previously. This is 336 configurable using the new `RKT_STAGE1_USR_FROM` environment variable when 337 invoking the build script - see fdcd64947 338 - the metadata service now uses a Unix socket for registration; this limits who 339 can register/unregister pods by leveraging filesystem permissions on the 340 socket 341 - `rkt list` now abbreviates UUIDs by default (configurable with `--full`) 342 - the ImageManifest's `readOnly` field (for volume mounts) is now overridden by 343 the rkt command line 344 - a simple debug script (in scripts/debug) to facilitate easier debugging of 345 applications running under Rocket by injecting Busybox into the pod 346 - documentation for the metadata service, as well as example systemd unit files 347 348 349 ## v0.4.2 350 351 - First support for interactive containers, with the `rkt run --interactive` 352 flag. This is currently only supported if a container has one app. #562 #601 353 - Add container IP address information to `rkt list` 354 - Provide `/sys` and `/dev/shm` to apps (per spec) 355 - Introduce "latest" pattern handling for local image index 356 - Implement FIFO support in tar package 357 - Restore atime and mtime during tar extraction 358 - Bump docker2aci dependency 359 360 361 ## v0.4.1 362 363 This is primarily a bug fix release with the addition of the `rkt install` 364 subcommand to help people setup a unprivileged `rkt fetch` based on unix users. 365 366 - Fix marshalling error when running containers with resource isolators 367 - Fixup help text on run/prepare about volumes 368 - Fixup permissions in `rkt trust` created files 369 - Introduce the `rkt install` subcommand 370 371 372 ## v0.4.0 373 374 This release is mostly a milestone release and syncs up with the latest release 375 of the [appc spec](https://github.com/appc/spec/releases/tag/v0.4.0) yesterday. 376 377 Note that due to the introduction of a database for indexing the local CAS, 378 users upgrading from previous versions of Rocket on a system may need to clear 379 their local cache by removing the `cas` directory. For example, using the 380 standard Rocket setup, this would be accomplished with 381 `rm -fr /var/lib/rkt/cas`. 382 383 Major changes since v0.3.2: 384 - Updated to v0.4.0 of the appc spec 385 - Introduced a database for indexing local images in the CAS (based on 386 github.com/cznic/ql) 387 - Refactored container lifecycle to support a new "prepared" state, to 388 - pre-allocate a container UUID without immediately running the application 389 - Added support for passing arguments to apps through the `rkt run` CLI 390 - Implemented ACI rendering for dependencies 391 - Renamed `rkt metadatasvc` -> `rkt metadata-service` 392 - Added documentation around networking, container lifecycle, and rkt commands 393 394 395 ## v0.3.2 396 397 This release introduces much improved documentation and a few new features. 398 399 The highlight of this release is that Rocket can now natively run Docker 400 images. To do this, it leverages the appc/docker2aci library which performs a 401 straightforward conversion betwen images in the Docker format and the appc 402 format. 403 404 A simple example: 405 406 ``` 407 $ rkt --insecure-skip-verify run docker://redis docker://tenstartups/redis-commander 408 rkt: fetching image from docker://redis 409 rkt: warning: signature verification has been disabled 410 Downloading layer: 511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158 411 ``` 412 413 Note that since Docker images do not support image signature verifications, the 414 `-insecure-skip-verify` must be used. 415 416 Another important change in this release is that the default location for the 417 stage1 image used by `rkt run` can now be set at build time, by setting the 418 `RKT_STAGE1_IMAGE` environment variable when invoking the build script. (If 419 this is not set, `rkt run` will continue with its previous behaviour of looking 420 for a stage1.aci in the same directory as the binary itself. This makes it 421 easier for distributions to package Rocket and include the stage1 wherever 422 they choose (for example, `/usr/lib/rkt/stage1.aci`). For more information, see 423 https://github.com/coreos/rocket/pull/520 424 425 426 ## v0.3.1 427 428 The primary motivation for this release is to resynchronise versions with the 429 appc spec. To minimise confusion in the short term we intend to keep the 430 major/minor version of Rocket aligned with the version of spec it implements; 431 hence, since yesterday v0.3.0 of the appc spec was released, today Rocket 432 becomes v0.3.1. After the spec (and Rocket) reach v1.0.0, we may relax this 433 restriction. 434 435 This release also resolves an upstream bug in the appc discovery code which was 436 causing rkt trust to fail in certain cases. 437 438 439 ## v0.3.0 440 441 This is largely a momentum release but it does introduce a few new user-facing 442 features and some important changes under the hood which will be of interest to 443 developers and distributors. 444 445 First, the CLI has a couple of new commands: 446 - `rkt trust` can be used to easily add keys to the public keystore for ACI 447 signatures (introduced in the previous release). This supports retrieving 448 public keys directly from a URL or using discovery to locate public keys - a 449 simple example of the latter is `rkt trust --prefix coreos.com/etcd`. See the 450 commit for other examples. 451 - `rkt list` is an extremely simple tool to list the containers on the system 452 453 As mentioned, v0.3.0 includes two significant changes to the Rocket build process: 454 - Instead of embedding the (default) stage1 using go-bindata, Rocket now 455 consumes a stage1 in the form of an actual ACI, containing a rootfs and 456 stage1 init/exec binaries. By default, Rocket will look for a `stage1.aci` in 457 the same directory as the location of the binary itself, but the stage1 can 458 be explicitly specified with the new `-stage1-image` flag (which deprecates 459 `-stage1-init` and `-stage1-rootfs`). This makes it much more straightforward 460 to use alternative stage1 images with rkt and facilitates packing it for 461 different distributions like Fedora. 462 - Rocket now vendors a copy of the appc/spec instead of depending on HEAD. This 463 means that Rocket can be built in a self-contained and reproducible way and 464 that master will no longer break in response to changes to the spec. It also 465 makes explicit the specific version of the spec against which a particular 466 release of Rocket is compiled. 467 468 As a consequence of these two changes, it is now possible to use the standard 469 Go workflow to build the Rocket CLI (e.g. `go get github.com/coreos/rocket/rkt` 470 will build rkt). Note however that this does not implicitly build a stage1, so 471 that will still need to be done using the included ./build script, or some 472 other way for those desiring to use a different stage1. 473 474 475 ## v0.2.0 476 477 This introduces countless features and improvements over v0.1.1. Highlights 478 include several new commands (`rkt status`, `rkt enter`, `rkt gc`) and 479 signature validation. 480 481 482 ## v0.1.1 483 484 The most significant change in this release is that the spec has been split 485 into its own repository (https://github.com/appc/spec), and significantly 486 updated since the last release - so many of the changes were to update to match 487 the latest spec. 488 489 Numerous improvements and fixes over v0.1.0: 490 - Rocket builds on non-Linux (in a limited capacity) 491 - Fix bug handling uncompressed images 492 - More efficient image handling in CAS 493 - mkrootfs now caches and GPG checks images 494 - stage1 is now properly decoupled from host runtime 495 - stage1 supports socket activation 496 - stage1 no longer warns about timezones 497 - cas now logs download progress to stdout 498 - rkt run now acquires an exclusive lock on the container directory and records 499 the PID of the process 500 501 502 ## v0.1.0 503 504 - tons of documentation improvements added 505 - actool introduced along with documentation 506 - image discovery introduced to rkt run and rkt fetch 507 508 509 ## v0.0.0 510 511 Initial release.