Releases: cloudfoundry/garden-runc-release
Releases · cloudfoundry/garden-runc-release
GRR v1.0.0
no big deal
GRR v0.9.2
Minor update.
- fixes a bug in the case where there are so many existing iptables rules when garden is started that
iptables -S
output exceeds the maximum pipe capacity (https://www.pivotaltracker.com/story/show/132142837)
GRR v0.9.1
- Make destroy more resilient to guardian being abruptly killed
- Bump golang version to 1.7
- Don't create a new session keyring for every container (there's a significant performance penalty for creating a new keyring under load, and
runc
now supports not doing it). - Reduce log level of some frequent log messages
GRR v0.9.0
- Ensure deletes are atomic: even if garden is killed during deletes, the delete can now be completed on restart
- Forward logs to syslog (via #16, thanks @keymon!)
- Changes to enable container to container networking plugin (via cloudfoundry/guardian#48, thanks @jaydunk!)
0.8.0
Fixes a bug where the PATH environment variable was not properly set if another environment variable containing the string "PATH=" was specified
GRR v0.7.0
Minor fixes.
- Set a default window size (80x24) when no size is specified and a TTY is attached
- Ensure aufs module is auto-loaded (when available) even if no graph path is specified
GRR v0.6.0
Mostly a bug-fixin'-and-PR-mergin' release. Enjoy, get it while it's hot!
- Improve handling of re-attaching to processes after restart
- Fix bug where output was lost if a process exited while writing to a TTY
- Make semantics of
Lookup
match garden-linux to avoid flakes in other components (specificLookup
pretends not to know about containers untilCreate
has returned successfully) - PR: Don't run internal ("kawasaki") networker if an external network plugin path has been provided (enables container-to-container networking plugin to be tried experimentally in production), thanks @rosenhouse!
- PR: Support for execveat syscall in case of ppc64 arch, thanks @barthy1!
- PR: Remove destination filter from MASQUERADE rules, thanks @geofffranks!
- PR: Increase max keyrings from 500 to 1000000, thanks @RochesterinNYC!
- PR: Make rootfs a parameter to be passed in to guardian ifrit runner, thanks @nimakaviani & @jenspinney!
0.5.0
Much good stuff:
- AppArmor! Unprivileged containers are now secured with a default apparmor profile. This is based on the default docker apparmor profile for maximum compatibility
- The
shared_mounts
bosh property is gone, we now do the right thing for anything in/var/vcap/data
- We now use the new OCI "create/start" split to run network plugins, allowing much more flexibility in how this works and cleaning up the code a lot
- Iodaemon is gone, we now use a binary called 'dadoo' to do a roughly similar job
- Reattaching after restart should now be more bulletproof, for example getting the exit code should work
- Code now imported via
code.cloudfoundry.org
domain
0.4.0
- Add
http_proxy
,https_proxy
andno_proxy
properties for setting HTTP proxies to use when pulling from Docker registries - NetOut rules with
log: true
now work correctly - Container disk limits now work on Xenial
- Unprivileged containers now use seccomp to improve security
- Fixed a bug where container deletion could race with grace time expiration and container creation, resulting in two containers with the same IP address
You can find a guide to transitioning from Garden-Linux to Garden-RunC here.
0.3.0
max_containers
now defaults to250
- User groups are now properly supported when running processes in containers
- Mounts made on the host are now available to be bind mounted into containers
- Max number of open file descriptors for the garden server is now
65536
- The head of the net-in port allocation queue is now persisted across garden server process restarts, though it is not persisted through VM recreation
You can find a guide to transitioning from Garden-Linux to Garden-RunC here.