garden-runc/1.2.0
You can find the source of this version on GitHub at cloudfoundry-incubator/guardian-release. It was created based on the commit 2b3dedc5
.
Release Notes¶
- Verified with grootfs-release v0.11.0
Hi garden fans! Today we have a bumper release with lots of nice little fixes and improvements:
API Changes and Deprecations:
- Docker Auth Support: The client.Create
call now supports an Image.URI
field which deprecates the existing RootfsPath
field. It acts in exactly the same way as the existing field, however it is now possible to specify Image.Username
and Image.Password
which will be passed to the image_plugin
if configured. This allows an image_plugin (such as grootfs) to support authenticated Docker images.
- Create-Time NetIn/Out: NetIn
and NetOut
are now able to be specified on the client.Create
call, and we recommend all clients switch to this as the dynamic methods are now deprecated. If specified, they are passed to the network_plugin
on create, which allows better integration with CNI
up/down hooks. The existing methods will continue to be supported in the built-in kawasaki
networker until the next major version bump.
- Image Plugin API: Experimental image_plugin
API continues to evolve, now does not needlessly swap uid before running the plugin in unprivileged mode (this is up to the plugin to do if it wishes).
- Grace Time: grace_time
now defaults to 0
(i.e. infinity). Most clients were explicitly overriding our default here anyway, and without this default it is impossible to later ask for a container not to have a grace time (since 0 in client.Create
means “use the default”). Clients must now explicitly set the grace_time
bosh property if they wish containers to have a grace time by default.
General Improvements
- RunC was bumped to the latest version
- Inspector-garden
is no longer needed! You can now interact with containers without any extra steps. (Yay!)
- Fixed handling of the bosh release shutdown script to avoid a case where a non-zero exit was returned to bosh even though the server had been killed
- The bosh release now increases pid limits to avoid running out of pids in large deployments (to avoid pid exhaustion from containers we recommend configuring ContainerSpec.Pids.Max
in the client.Create
call).
- It is possible to opt-out of apparmor (for environments which cannot support it), by specifying an empty string for the apparmor_profile
property. It is also possible to request a different apparmor profile than the garden-default be used, so long as this is installed on the host (for example as a bosh pre-start job in an add-on).
- iptables rules now add a descriptive comment containing the container guid for easier debuggability
- Work continues on the experimental rootless mode, there is now a separate setup
command which can be run as root, allowing the main guardian server to start up without needing root.
Usage¶
You can reference this release in your deployment manifest from the releases
section:
- name: "garden-runc" version: "1.2.0" url: "https://bosh.io/d/github.com/cloudfoundry-incubator/guardian-release?v=1.2.0" sha1: "8c63afa62decbabfa809d017c15e4d0ce3c74ff3"
Or upload it to your director with the upload-release
command:
bosh upload-release --sha1 8c63afa62decbabfa809d017c15e4d0ce3c74ff3 \ "https://bosh.io/d/github.com/cloudfoundry-incubator/guardian-release?v=1.2.0"