Rocket v1.6.0 发布,安全性增强

发布于 2016年05月14日
收藏 5

Rocket v1.6.0 发布了,此次发布Rocket安全性得以提升。提供了隔离防护,为每一个应用程序分配一个命名空间。具体改进如下:

  • stage1: implement read-only rootfs (#2624). Using the Pod manifest readOnlyRootFS option mounts the rootfs of the app as read-only using systemd-exec unit option ReadOnlyDirectories, see appc/spec.

  • stage1: capabilities: implement both remain set and remove set (#2589). It follows the Linux Isolators semantics from the App Container Executor spec, as modified by appc/spec#600.

  • stage1/init: create a new mount ns for each app (#2603). Up to this point, you could escape the app's chroot easily by using a simple program downloaded from the internet 1. To avoid this, we now create a new mount namespace per each app.

  • api: Return the pods even when we failed getting information about them (#2593).

  • stage1/usr_from_coreos: use CoreOS 1032.0.0 with systemd v229 (#2514).


转载请注明:文章转载自 OSCHINA 社区 []
本文标题:Rocket v1.6.0 发布,安全性增强