GRR v1.1.1

• Verified with grootfs-release v0.7.0

Patches runC to address a security vulnerability (CVE-2016-9962). Garden never runs user processes as pid 1 (which the mentioned exploit relies on) and enables apparmor (which prevents ptrace), but the patch also works around a kernel mis-ordering of operations that could very briefly expose an fd in a container.

GRR v1.1.0

• Verified with grootfs-release v0.7.0

Happy 2017 Garden Fans!

New year, new garden release. Get it while it's hot. Here are some highlights:

• v1.1.0 marks the official start of garden's 'semantic version policy'. From this release you can expect that we will maintain backwards compatibility for existing clients with new garden versions in the v1+ series (in other words if a client says it has been tested with garden 1.N, we expect any version from 1.N to 2 to work with that client. You are still advised to test well in your own CI).
• We are now automatically creating a single-binary version of garden, called 'gdn' (and pronounced "gdn") - linked from these very release notes! - so that you can easily take it for a spin on your own server. Just download and run.
• More performance work: we now test performance over a large number of creates in our CI and will be tracking any performance regressions. More to come on this front.
• Fixed a nasty deadlock in the case where runc blows up and prints large amounts to stderr before we're ready to read it.
• No longer listening on debug_address unless explicitly requested
• Removed spurious and very annoying auplink error message on destroys

GRR v1.0.4

• Verified with grootfs-release v0.6.0

Hi garden consumers! We're pleased to present a fresh new garden release with the following great new features:

• Fixed significant performance degradation for long-running deployments (due to a memory leak in a dependency).
• Support for a new ContainerSpec.Limits.Pid.Max field to limit max processes in a container (note: uses new PID cgroup, requires 4.4+ kernels)
• No default for debug_listen_address property any more - default is not to listen. If you wish to enable debugging, you should explicitly opt in.
• We now use the iptables-restore packaged in the bosh release rather than relying on whatever's in the base OS
• Improvements to network_plugin API for BulkNetOut
• Improvements to image_plugin API. Now testing against grootfs in pipeline and listing compatible versions in these very release notes.

You will notice that these very release notes now list compatible versions of grootfs. These are the releases we have tested this version of garden-runc against. GrootFS is the new Garden Root Filesystem management component. We intend to eventually deprecate the built-in rootfs management in Garden in favour of GrootFS. At this point GrootFS is (very) experimental, but those who wish to test with it can find instructions in the grootfs-release repo. We will officially deprecate the built-in rootfs manager and then give a timeline for its removal in later releases.

Happy Gardening!

GRR v1.0.3

implements new BulkNetOut API for external networking plugins

GRR v1.0.2

• Swap to using iptables-restore due to regular iptables becoming extremely slow with lots of rules on recent kernels
• Minor changes to experimental image_plugin api

GRR v1.0.1

Minor fix and some work on the image plugin API

• Hostnames are now truncated where the handle is super-long (https://www.pivotaltracker.com/story/show/132858029)
• Various improvements to image_plugin API for grootfs

GRR v1.0.0

no big deal

GRR v0.9.2

Minor update.

• fixes a bug in the case where there are so many existing iptables rules when garden is started that iptables -S output exceeds the maximum pipe capacity (https://www.pivotaltracker.com/story/show/132142837)

GRR v0.9.1

• Make destroy more resilient to guardian being abruptly killed
• Bump golang version to 1.7
• Don't create a new session keyring for every container (there's a significant performance penalty for creating a new keyring under load, and runc now supports not doing it).
• Reduce log level of some frequent log messages

GRR v0.9.0

• Ensure deletes are atomic: even if garden is killed during deletes, the delete can now be completed on restart
• Forward logs to syslog (via #16, thanks @keymon!)
• Changes to enable container to container networking plugin (via cloudfoundry/guardian#48, thanks @jaydunk!)