GRR v0.9.2

Minor update.

• fixes a bug in the case where there are so many existing iptables rules when garden is started that iptables -S output exceeds the maximum pipe capacity (https://www.pivotaltracker.com/story/show/132142837)

GRR v0.9.1

• Make destroy more resilient to guardian being abruptly killed
• Bump golang version to 1.7
• Don't create a new session keyring for every container (there's a significant performance penalty for creating a new keyring under load, and runc now supports not doing it).
• Reduce log level of some frequent log messages

GRR v0.9.0

• Ensure deletes are atomic: even if garden is killed during deletes, the delete can now be completed on restart
• Forward logs to syslog (via #16, thanks @keymon!)
• Changes to enable container to container networking plugin (via cloudfoundry/guardian#48, thanks @jaydunk!)

0.8.0

Fixes a bug where the PATH environment variable was not properly set if another environment variable containing the string "PATH=" was specified

GRR v0.7.0

Minor fixes.

• Set a default window size (80x24) when no size is specified and a TTY is attached
• Ensure aufs module is auto-loaded (when available) even if no graph path is specified

GRR v0.6.0

Mostly a bug-fixin'-and-PR-mergin' release. Enjoy, get it while it's hot!

• Improve handling of re-attaching to processes after restart
• Fix bug where output was lost if a process exited while writing to a TTY
• Make semantics of Lookup match garden-linux to avoid flakes in other components (specific Lookup pretends not to know about containers until Create has returned successfully)
• PR: Don't run internal ("kawasaki") networker if an external network plugin path has been provided (enables container-to-container networking plugin to be tried experimentally in production), thanks @rosenhouse!
• PR: Support for execveat syscall in case of ppc64 arch, thanks @barthy1!
• PR: Remove destination filter from MASQUERADE rules, thanks @geofffranks!
• PR: Increase max keyrings from 500 to 1000000, thanks @RochesterinNYC!
• PR: Make rootfs a parameter to be passed in to guardian ifrit runner, thanks @nimakaviani & @jenspinney!

0.5.0

Much good stuff:

• AppArmor! Unprivileged containers are now secured with a default apparmor profile. This is based on the default docker apparmor profile for maximum compatibility
• The shared_mounts bosh property is gone, we now do the right thing for anything in /var/vcap/data
• We now use the new OCI "create/start" split to run network plugins, allowing much more flexibility in how this works and cleaning up the code a lot
• Iodaemon is gone, we now use a binary called 'dadoo' to do a roughly similar job
• Reattaching after restart should now be more bulletproof, for example getting the exit code should work
• Code now imported via code.cloudfoundry.org domain

0.4.0

• Add http_proxy, https_proxy and no_proxy properties for setting HTTP proxies to use when pulling from Docker registries
• NetOut rules with log: true now work correctly
• Container disk limits now work on Xenial
• Unprivileged containers now use seccomp to improve security
• Fixed a bug where container deletion could race with grace time expiration and container creation, resulting in two containers with the same IP address

You can find a guide to transitioning from Garden-Linux to Garden-RunC here.

0.3.0

• max_containers now defaults to 250
• User groups are now properly supported when running processes in containers
• Mounts made on the host are now available to be bind mounted into containers
• Max number of open file descriptors for the garden server is now 65536
• The head of the net-in port allocation queue is now persisted across garden server process restarts, though it is not persisted through VM recreation

You can find a guide to transitioning from Garden-Linux to Garden-RunC here.

0.2.0

• Rename destroy_containers_on_startup property to destroy_containers_on_start, to match Garden-Linux-Release
• NetOut rules now work correctly across server restarts
• Remove tag property, which was only present for testing and was not used
• Set $TMPDIR to a sensible path in /var/vcap/data, rather than using the tiny /tmp provided by BOSH
• Add the network_pool property

You can find a guide to transitioning from Garden-Linux to Garden-RunC here.