rkt v1.0.0 Release Notes
-
๐ This marks the first release of rkt recommended for use in production. The command-line UX and on-disk format are considered stable and safe to develop against. ๐ Any changes to these interfaces will be backwards compatible and subject to formal deprecation. The API is not yet completely stabilized, but is functional and suitable for use by early adopters.
๐ New features and UX changes
- โ Add pod creation and start times to
rkt list
andrkt status
(#2030). Seerkt list
andrkt status
documentation. - ๐ The DNS configuration can now be passed to the pod via the command line (#2040). See
DNS support
documentation. - ๐ Errors are now structured, allowing for better control of the output (#1937). See Error & Output for how a developer should use it.
- ๐ฆ All output now uses the new log package in
pkg/log
to provide a more clean and consistent output format and more helpful debug output (#1937). - โ Added configuration for stage1 image. Users can drop a configuration file to
/etc/rkt/stage1.d
(or tostage1.d
in the user configuration directory) to tell rkt to use a different stage1 image name, version and location instead of build-time defaults (#1977). - 0๏ธโฃ Replaced the
--stage1-image
flag with a new set of flags.--stage1-url
,--stage-path
,--stage1-name
do the usual fetching from remote if the image does not exist in the store.--stage1-hash
takes the stage1 image directly from the store.--stage1-from-dir
works together with the default stage1 images directory and is described in the next point (#1977). - โ Added default stage1 images directory. User can use the newly added
--stage1-from-dir
parameter to avoid typing the full path.--stage1-from-dir
behaves like--stage1-path
(#1977). - โ Removed the deprecated
--insecure-skip-verify
flag (#2068). - 0๏ธโฃ Fetched keys are no longer automatically trusted by default, unless
--trust-keys-from-https
is used. Additionally, newly fetched keys have to be explicitly trusted withrkt trust
if a previous key was trusted for the same image prefix (#2033). - ๐ Use NAT loopback to make ports forwarded in pods accessible from localhost (#1256).
- ๐ Show a clearer error message when unprivileged users execute commands that require root privileges (#2081).
- โ Add a rkt tmpfiles configuration file to make the creation of the rkt data directory on first boot easier (#2088).
- โ Remove
rkt install
command. It was replaced with asetup-data-dir.sh
script (#2101.
๐ Bug fixes
- ๐ Fix regression when authenticating to v2 Docker registries (#2008).
- โ Don't link to libacl, but dlopen it (#1963). This means that rkt will not crash if libacl is not present on the host, but it will just print a warning.
- Only suppress diagnostic messages, not error messages in stage1 (#2111).
Other changes
- ๐ Trusted Platform Module logging (TPM) is now enabled by default (#1815). This ensures that rkt benefits from security features by default. See rkt's Build Configuration documentation.
- โ Added long descriptions to all rkt commands (#2098).
Migration
- โก๏ธ The
--stage1-image
flag was removed. Scripts using it should be updated to use one of--stage1-url
,--stage1-path
,--stage1-name
,--stage1-hash
or--stage1-from-dir
- ๐ All uses of the deprecated
--insecure-skip-verify
flag should be replaced with the--insecure-options
flag which allows user to selectively disable security features. - ๐ The
rkt install
command was removed in favor of thedist/scripts/setup-data-dir.sh
script.
๐ฆ Note for packagers
๐ With this release,
rkt
RPM/dpkg packages should have the following updates:- ๐ง Pass
--enable-tpm=no
to configure script, ifrkt
should not use TPM. - ๐ง Use the
--with-default-stage1-images-directory
configure flag, if the default is not acceptable and install the built stage1 images there. - Distributions using systemd: install the new file
dist/init/systemd/tmpfiles.d/rkt.conf
in/usr/lib/tmpfiles.d/rkt.conf
and then runsystemd-tmpfiles --create rkt.conf
. This can replace runningrkt install
to set the correct ownership and permissions.
- โ Add pod creation and start times to