Rocket v1.6.0 发布了,此次发布Rocket安全性得以提升。提供了隔离防护,为每一个应用程序分配一个命名空间。具体改进如下: stage1: implement read-only rootfs (#2624). Using the Pod manifest readOnlyRootFS option mounts the rootfs of the app as read-only using systemd-exec unit option ReadOnlyDirectories, see appc/spec. stage1: capabilities: implement both remain set and remove set (#2589). It follows the Linux Isolators semantics from the App Container Executor spec, as modified by appc/spec#600. stage1/init: create a new mount ns for each app (#2603). Up to this point, you could escape the app's chroot easily by using a simple program downloaded from the internet 1. To avoid this, we now create a new mount namespace per each app. api: Return the pods even when we failed getting information about them (#2593). stage1/usr_from_coreos: use CoreOS 1032.0.0 with systemd v229 (#2514). 下载地址:https://github.com/coreos/rkt/releases/tag/v1.6.0 Rocket v1.6.0 发布,安全性增强下载地址
