rktv 1.5.0 ·¢²¼ÁË£¬Rocket £¨Ò²½Ð rkt£©ÊÇ CoreOS ÍƳöµÄÒ»¿îÈÝÆ÷ÒýÇ棬ºÍ Docker ÀàËÆ£¬°ïÖú¿ª·¢Õß´ò°üÓ¦ÓúÍÒÀÀµ°üµ½¿ÉÒÆÖ²ÈÝÆ÷ÖУ¬¼ò»¯´î»·¾³µÈ²¿Êð¹¤×÷¡£Rocket ºÍ Docker ²»Í¬µÄµØ·½ÔÚÓÚ£¬Rocket ûÓÐ Docker ÄÇЩΪÆóÒµÓû§ÌṩµÄ¡°ÓѺù¦ÄÜ¡±£¬±ÈÈçÔÆ·þÎñ¼ÓËÙ¹¤¾ß¡¢¼¯ÈºÏµÍ³µÈ¡£·´¹ýÀ´Ëµ£¬Rocket Ïë×öµÄ£¬ÊÇÒ»¸ö¸ü´¿´âµÄÒµ½ç±ê×¼¡£
ÐÂÌØÐÔ¼°BugsÐÞ¸´£º
ÐÂÌØÐÔ
stage1: replace appexec with pure systemd (#2493). Replace functionality implemented in appexec with equivalent systemd options. This allows restricting the capabilities granted to apps in a pod and makes enabling other security features (per-app mount namespaces, seccomp filters...) easier.
stage1: restrict capabilities granted to apps (#2493). Apps in a pod receive now a smaller set of capabilities.
rkt/image: render images on fetch (#2398). On systems with overlay fs support, rkt was delaying rendering images to the tree store until they were about to run for the first time which caused that first run to be slow for big images. When fetching as root, render the images right away so the first run is faster.
Bug ÐÞ¸´
kvm: fix mounts regression (#2530). Cause - AppRootfsPath called with local "root" value was adding stage1/rootfs twice. After this change this is made properly.
rkt/image: strip "Authorization" on redirects to a different host (#2465). We now don't pass the "Authorization" header if the redirect goes to a different host, it can leak sensitive information to unexpected third parties.
stage1/init: interpret the string "root" as UID/GID 0 (#2458). This is a special case and it should work even if the image doesn't have /etc/passwd or /etc/group.
ÏÂÔصØÖ·£ºhttps://github.com/coreos/rkt/releases/tag/v1.5.0
À´×Ô:¿ªÔ´ÖйúÉçÇø
