GRR v1.11.0: This One Goes To Eleven

UPGRADE NOTE, ADDED 6/3/18: the previous rootfs management code had a bug where it considered compressed layer sizes rather than uncompressed sizes when calculating docker image quota usage. This means after upgrading to this version of garden docker images that used to fit in to quota (due to the bug) may no longer fit in to the same quota size

This release integrates grootfs and makes it the default filesystem manager for garden. You can still opt back in to garden-shed using the deprecated_use_garden_shed property. Grootfs uses overlay+xfs rather than aufs and supports running without root privileges.

Action Required: If you were using the separate grootfs-release, you can now just use this release. cf-deployment users do not need to take any action.

Action Required: If you weren't using grootfs-release please try to combine this deploy with a stemcell update or do a --recreate of your cells to clean up extra space from the old rootfs management code.

Other Noteworthy Changes:

• A number of fixes to grootfs, including fixing a leak in GC and removing an overbroad log line that could lead to passwords being logged.
• Fixes for creating processes with their own root filesystem in privileged containers
• Garden's init process now properly reaps processes. This avoids zombies on more recent kernels.
• Rootless mode is now supported on stemcells with hardened umask settings.

Bosh Property Updates

• As part of merging grootfs in to garden, the grootfs.* properties are now available in this release. Existing garden.* properties related to rootfs management are deprecated but still work to set the corresponding grootfs properties.
• It is now possible to ask for additional DNS entries to be supplied via the additional_host_entries bosh property (#54)

Dependency Updates:

• tar bumped to 1.30
• libnftnl bumped to 1.0.9

GRR v1.10.0: Peas Release Me

• Verified with grootfs-release v0.30.0

Major Changes:

• It is now possible to specify a ProcessSpec.Image. This causes a Process to have its own filesystem view (mount namespace) and base root filesystem. Processes with their own filesystem view share other namespaces (in particular, they share the same network) and resource limits (i.e. cgroups)
• A process can additionally request independent resource limits from the rest of the container by specifying ProcessSpec.OverrideContainerLimits{}.

Limitations:

• Currently it is only possible to use ProcessSpec.Image and ProcessSpec.OverrideContainerLimits with unprivileged containers. This will be fixed in future releases.
• The only currently meaningful values for ProcessSpec.OverrideContainerLimits are nil (share limits with sandbox container - i.e. current behaviour) and Limits{} (opt-out of resource limits for this process). Future releases will add the ability to specify specific, separate memory/cpu limits for processes using this API.
• APIs such as BulkMetrics and Process.Signal may not work immediately after container.Run(ProcessSpec) returns for processes with Image and/or OverrideContainerLimits specified. This will be fixed in future releases.

Other Changes:

• We've lessened the amount of logging we do in BulkMetrics to reduce log volume in large environments
• We're now masking some more places in /proc
• Garden now correctly declares that the bundles it creates are OCI Runtime Spec version 1.0.0 compliant.

GRR v1.9.5: Please Peas Me

• Verified with grootfs-release v0.28.1

Minor and experimental changes (including the start of the "garden peas" track of work) plus a golang bump.

• Bumped go to 1.9.1
• Tightened ownership/permissions of some directories
• Experimental: initial support for "garden peas" -- container processes supplying their own rootfs (but sharing namespaces/cgroups with a sandbox container)
• Experimental: uid range in rootless mode now starts at 65536 to avoid any container uid overlapping any regular bosh user id.

Bosh Property Changes

• provides a rootless_link so that co-located plugin releases (e.g. grootfs-release) can auto-configure rootless mode

GRR v1.9.4: The Sisyphus Cgroup

• Verified with grootfs-release v0.26.0

The release mounts the container's cgroups at /sys/fs/cgroup inside the container, in read-only mode, to allow containers to introspect their resource limits and usage.

Additionally, the permissions and ownership of /var/vcap/data/garden have been hardened to work as securely as possible in combination with umask hardened stemcells.

GRR v1.9.3: Patch me if you can

• Verified with grootfs-release v0.25.0

Minor changes:

• some updates to the experimental windows job
• bumped go version to 1.9
• bosh release now generated (hopefully) with a sha256 digest
• garden now returns a specific ProcessNotFound error when attaching to a process which doesn't exist
• under the covers, work to be able to run without root in real environments is nearing completion

GRR v1.9.2: We did a patch release

• Verified with grootfs-release v0.24.0

Patch release with some bug fixes and some API changes for experimental image and runtime plugins. This release also includes substantial updates for the new rootfs+layer image scheme and the rootless mode which are both still considered undocumented and experimental.

Noteworthy Bug Fixes

• Previously if the container crashed before the network was configured a pid of zero could be passed to the network plugin resulting in confusing error messages (https://www.pivotaltracker.com/story/show/150078138).
• It is now possible to use bind mounts that have a MNT_SHARED propagation type. This would previously be overriden by runc which was a change of behaviour from garden-linux and broke attached disks in bosh-lite (https://www.pivotaltracker.com/story/show/149995674).

Updates to Experimental Features

• A new preloaded+layer:// scheme for the ContainerSpec.Image property allows a client to request a droplet layer be added to the rootfs in the create call (rather than via a separate StreamIn call). This allows the final rootfs to be pre-created via copy-on-write in the layered filesystem rather than by extracting the droplet tarball in to a running container. (Note: this API is currently experimental and subject to change).
• The Experimental Rootless Mode is nearing completion and now supports limiting cpu and memory usage for created containers.
• Numerous updates have been made to the windows job to enable Garden-on-Windows support
• Garden now reports metrics for StreamIn and Create to aid in debugging performance of image plugins (https://www.pivotaltracker.com/story/show/149914457).

Bosh Property Changes

• Garden's default port-pool range now starts from 61001 rather than 60000 to avoid colliding with the top of the ephemeral port range. This reduces the number of ports in the pool to 4534 but avoids potential conflicts with OS-assigned ports. Operators can use the garden.port_pool.start and garden.port_pool.size properties to change this range (https://www.pivotaltracker.com/story/show/117415775).

GRR v1.9.0: Private Registry Reporting For Duty

• Verified with grootfs-release v0.20.0

Resolves a problem where after multiple invocations of Attach some output would be lost. Also fixes private image support for various non-docker docker registries.

Major Fixes:

• Fixes calls to the docker /v2 endpoints, this was previously breaking support for private images in various registries ECR (AWS EC2 Container Registry), GCR (Google Container Registry) and JFrog Artifactory.
• Multiple invocations of Attach no longer lose output (#144412999 )

Minor Fixes:

• http_proxy property is now properly escaped (#147667115)
• Less noisy logging on start (#146489225)

Changed Bosh Properties:

• The http_proxy property is now properly escaped before being used (#147667115)
• The garden_windows job now exposes various new flags (we will start listing these when Windows is officially supported).

GRR v1.8.0: Yes it runs on windows, why do you ask?

• Verified with grootfs-release v0.19.0

Various things and oh yeah GUARDIAN RUNS (EXPERIMENTALLY) ON WINDOWS NOW.

Major Things

• Allows specifying a maximum tcp kernel memory limit for containers.
• Allow specifying a runtime_plugin other than the default (runc)
• Beginnings of support for running on windows

Highlighted Minor Fixes

• Avoid doing unnecessary DNS lookups at startup
• Ensure MTU is never set defaulted higher than 1500, even if the MTU of the external interface happens to be higher than that (see cloudfoundry/guardian#77)
• Don't explode on restart when -1 was specified as ICMP rule type (see #30)

GRR v1.7.0: UDP and Me

• Verified with grootfs-release v0.18.0

Minor release. Allows logging UDP/ICMP packets and stops shipping unused shadow package with the bosh release. Get it while it's hot!

GRR v1.6.0: Oh, you are auth-full

• Verified with grootfs-release v0.17.1

Big Changes

• Support for Authenticated (User/Pass) Docker Repositories in native garden-shed rootfs fetcher! Woop!

Little Changes and Fixes

• RunC output is now streamed to the main garden log rather than collected after execution has finished. This enables better diagnostics for cases where runc hangs or deadlocks
• Fixed a regressed that made /etc/hosts and /etc/resolv.conf not writable by root in the container
• max_containers property is now enforced rather than just being reported in client.Capacity()
• Changed image_plugin api to allow the plugin to return JSON in order to better support rootless containers using overlayfs (the image plugin API is still experimental and subject to change)