GRR v1.4.0: The One With The Minor Networking Changes

• Verified with grootfs-release v0.15.0

Hi Gardeneers!

GRR v1.4.0 mostly introduces some changes to the network plugin API and introduces a first-pass experimental ability to limit container block IO. Please, contain your enthusiasm.

Network Plugin / Networking Changes

• We now allow the network plugin to return a set of DNS servers which we will ensure are set on the container's resolv.conf. This allows DNS policy to be set by the network plugin if enabled.
• When the network plugin is not enabled, there's now an additional_dns_servers property that allows specifying extra DNS servers which should be appended to any inherited from resolv.conf or set to the dns_servers property.
• /etc/hosts and /etc/resolv.conf are now bind-mounted in to the container rather than being written in a chroot. This interacts better with user namespaces and rootless containers and is generally more simple and secure.
• We no longer set up the built-in networkers iptable chains when an external network plugin is enabled, to avoid confusion caused by two things both creating iptable state on the host
• Log messages from NetOut(log=true) rules now properly truncate handles so that space separation is preserved when the handle is longer than 29 characters

BlockIO Limiting (Experimental)

• We've added an experimental default_container_blockio_weight property to allow assigning a blockio weight to all containers created by garden. This requires the CFQ scheduler to be enabled to be useful and applies to all garden-created containers on the host. The feature is being released experimentally via the bosh property, feedback welcome!

Rootless Mode

• You can now follow the updated experimental rootless mode doc to add networking support to your rootless containers.