rkt v1.0.0 Release Notes

  • ๐Ÿš€ This marks the first release of rkt recommended for use in production. The command-line UX and on-disk format are considered stable and safe to develop against. ๐Ÿ—„ Any changes to these interfaces will be backwards compatible and subject to formal deprecation. The API is not yet completely stabilized, but is functional and suitable for use by early adopters.

    ๐Ÿ†• New features and UX changes

    • โž• Add pod creation and start times to rkt list and rkt status (#2030). See rkt list and rkt status documentation.
    • ๐Ÿ“š The DNS configuration can now be passed to the pod via the command line (#2040). See DNS support documentation.
    • ๐Ÿ“š Errors are now structured, allowing for better control of the output (#1937). See Error & Output for how a developer should use it.
    • ๐Ÿ“ฆ All output now uses the new log package in pkg/log to provide a more clean and consistent output format and more helpful debug output (#1937).
    • โž• Added configuration for stage1 image. Users can drop a configuration file to /etc/rkt/stage1.d (or to stage1.d in the user configuration directory) to tell rkt to use a different stage1 image name, version and location instead of build-time defaults (#1977).
    • 0๏ธโƒฃ Replaced the --stage1-image flag with a new set of flags. --stage1-url, --stage-path, --stage1-name do the usual fetching from remote if the image does not exist in the store. --stage1-hash takes the stage1 image directly from the store. --stage1-from-dir works together with the default stage1 images directory and is described in the next point (#1977).
    • โž• Added default stage1 images directory. User can use the newly added --stage1-from-dir parameter to avoid typing the full path. --stage1-from-dir behaves like --stage1-path (#1977).
    • โœ‚ Removed the deprecated --insecure-skip-verify flag (#2068).
    • 0๏ธโƒฃ Fetched keys are no longer automatically trusted by default, unless --trust-keys-from-https is used. Additionally, newly fetched keys have to be explicitly trusted with rkt trust if a previous key was trusted for the same image prefix (#2033).
    • ๐Ÿ‘‰ Use NAT loopback to make ports forwarded in pods accessible from localhost (#1256).
    • ๐Ÿ‘‰ Show a clearer error message when unprivileged users execute commands that require root privileges (#2081).
    • โž• Add a rkt tmpfiles configuration file to make the creation of the rkt data directory on first boot easier (#2088).
    • โœ‚ Remove rkt install command. It was replaced with a setup-data-dir.sh script (#2101.

    ๐Ÿ› Bug fixes

    • ๐Ÿ›  Fix regression when authenticating to v2 Docker registries (#2008).
    • โš  Don't link to libacl, but dlopen it (#1963). This means that rkt will not crash if libacl is not present on the host, but it will just print a warning.
    • Only suppress diagnostic messages, not error messages in stage1 (#2111).

    Other changes

    • ๐Ÿ“š Trusted Platform Module logging (TPM) is now enabled by default (#1815). This ensures that rkt benefits from security features by default. See rkt's Build Configuration documentation.
    • โž• Added long descriptions to all rkt commands (#2098).

    Migration

    • โšก๏ธ The --stage1-image flag was removed. Scripts using it should be updated to use one of --stage1-url, --stage1-path, --stage1-name, --stage1-hash or --stage1-from-dir
    • ๐Ÿ”’ All uses of the deprecated --insecure-skip-verify flag should be replaced with the --insecure-options flag which allows user to selectively disable security features.
    • ๐Ÿšš The rkt install command was removed in favor of the dist/scripts/setup-data-dir.sh script.

    ๐Ÿ“ฆ Note for packagers

    ๐Ÿš€ With this release, rkt RPM/dpkg packages should have the following updates:

    • ๐Ÿ”ง Pass --enable-tpm=no to configure script, if rkt should not use TPM.
    • ๐Ÿ”ง Use the --with-default-stage1-images-directory configure flag, if the default is not acceptable and install the built stage1 images there.
    • Distributions using systemd: install the new file dist/init/systemd/tmpfiles.d/rkt.conf in /usr/lib/tmpfiles.d/rkt.conf and then run systemd-tmpfiles --create rkt.conf. This can replace running rkt install to set the correct ownership and permissions.