Rocket v1.6.0 发布,安全性增强

oschina
 oschina
发布于 2016年05月14日
收藏 5

Rocket v1.6.0 发布了,此次发布Rocket安全性得以提升。提供了隔离防护,为每一个应用程序分配一个命名空间。具体改进如下:

  • stage1: implement read-only rootfs (#2624). Using the Pod manifest readOnlyRootFS option mounts the rootfs of the app as read-only using systemd-exec unit option ReadOnlyDirectories, see appc/spec.

  • stage1: capabilities: implement both remain set and remove set (#2589). It follows the Linux Isolators semantics from the App Container Executor spec, as modified by appc/spec#600.

  • stage1/init: create a new mount ns for each app (#2603). Up to this point, you could escape the app's chroot easily by using a simple program downloaded from the internet 1. To avoid this, we now create a new mount namespace per each app.

  • api: Return the pods even when we failed getting information about them (#2593).

  • stage1/usr_from_coreos: use CoreOS 1032.0.0 with systemd v229 (#2514).

下载地址:https://github.com/coreos/rkt/releases/tag/v1.6.0


本站文章除注明转载外,均为本站原创或编译。欢迎任何形式的转载,但请务必注明出处,尊重他人劳动共创开源社区。
转载请注明:文章转载自 OSCHINA 社区 [http://www.oschina.net]
本文标题:Rocket v1.6.0 发布,安全性增强
加载中
返回顶部
顶部