Lithos Changes By Release¶
v0.19.0¶
- Feature: new process in bridged network gets CAP_NET_BIND_SERVICE capability in it’s own network namespace (effectively allowing it to bind port 80, 443 or any other port < 1024)
- Bugfix: made
default-gateway
inbridged-network
optional - Bugfix: lithos now deletes veth interface if that exists, before starting a process (previously you needed to manually resolve this issue)
Note: we’re making this release major to show that it requires more testing than regular update. This is because we changed internals quite a bit to allow network namespace owned by process.
v0.18.4¶
- Bugfix: only send SIGTERM to the process once when upgrading or stopping it (this prevents certain issues with the applications themselves)
- Bugfix: use don’t reset kill timeout on SIGQUIT of lithos_tree
- Bugfix: correctly wait for kill timeout for retired children (not in the config any more)
v0.18.3¶
- Bugfix: it looks like that reading through
/proc/
is inherently racy, i.e. some process may be skipped. This commit fixes walk faster and traverse directory twice. More elaborate fix will be implemented in future.
v0.18.2¶
- Feature: add
secret-environ-file
which can be used to offload secrets to a separate (perhaps shared) file
v0.18.1¶
- Feature: add
set-non-block
option to tcp-ports
v0.18.0¶
- Breaking: we don’t run
arping
after container setup by default, as it doesn’t work in certain environments. Useafter-setup-command
instead.
v0.17.7¶
- Bugfix: log name of the process when lithos_knot failed
- Bugfix: more robust parsing of process names by lithos_ps
- Feature: add
@{lithos:pid}
magic variable
v0.17.6¶
- Bugfix: systemd protocol support fixed: LISTEN_FDNAMES and LISTEN_PID
v0.17.5¶
- Feature: check variable substitution with
lithos_check
even in--check-container
(out of system) mode
v0.17.4¶
- Feature: Add
DottedName
variable type - Feature: Add
activation
parameter toTcpPort
variable
v0.17.3¶
- Bugfix: fix EADDRINUSE error when all children requiring file descriptor where queued for restart (throttled), bug was due to duped socket lying in scheduled command (where main socket is closed to notify peers there are no listeners)
v0.17.2¶
- Bugfix: previously lithos_tree process after fork but before execing lithos_knot could be recognized as undefined child and killed. This race-condition sometimes led to closing sockets prematurely and being unable to listen them again
v0.17.1¶
- Bugfix: passing sockets as FDs in non-bridged network was broken in v0.17.0
v0.17.0¶
- Breaking: add
external
flag totcp-ports
, which by default isfalse
(previous behavior was equal toexternal: true
) - Bugfix:
lithos_cmd
now returns exit code 0 if underlying command is exited successfully (was broken in 0.15.5)
v0.16.0¶
- Breaking: remove
v1
encryption for secrets (it was alive for a week) - Feature: add
secrets-namespaces
andextra-secrets-namespaces
option to allow namespacing secrets on top of a single key - Feature: add
v2
key encryption scheme
v0.15.6¶
- Feature: add
secret-environ
andsecrets-private-key`
settings which allow to pass to the application decrypted environment variables - Bugfix: when bridged network is enabled we use
arping
to update ARP cache
v0.15.5¶
- Bugfix: add support for bridged-network and ip-addresses for lithos_cmd
- Bugfix: initialize looppack interface in container when
bridged-network
is configured - Feature: allow
lithos_cmd
withoutip_addresses
(only loopback is initialized in this case) - Bugfix: return error result from
lithos_cmd
if inner process failed
v0.15.4¶
- First release that stops support of ubuntu precise and adds repository for ubuntu bionic
- Bugfix: passing TCP port as fd < 3 didn’t work before, now we allow
fd: 0
and fail gracefully on 1, 2.
v0.15.3¶
- feature: Add
default-user
anddefault-group
to simplify container config - bugfix: fix containers having symlinks at
/etc/{resolv.conf, hosts}
(broken in v0.15.0)
v0.15.2¶
- bugfix: containers without bridged network work again
v0.15.1¶
- nothing changed, fixed tests only
v0.15.0¶
- feature: Add
normal-exit-codes
setting - feature: Add
resolv-conf
andhosts-file
to sandbox config - feature: Add
bridged-network
option to sandbox config - breaking: By default
/etc/hosts
and/etc/resolv.conf
will be mounted if they are proper mount points (can be opt out in container config)
v0.14.3¶
- Bugfix: when more than one variable is used lithos were restarting process every time (because of unstable serialization of hashmap)
v0.14.2¶
- Bugfix: if
auto-clean
is different in several sandboxes looking at the same image directory we skip cleaning the dir and print a warning - Add a timestamp to
lithos_clean
output (in--delete-unused
mode)
v0.14.1¶
- Bugfix: variable substitution was broken in v0.14.0
v0.14.0¶
- Sets
memory.memsw.limit_in_bytes
if that exists (usually requiresswapaccount=1
in kernel params). - Adds a warning-level message on process startup
- Duplicates startup and death messages into stderr log, so you can corelate them with application messages
v0.13.2¶
- Upgrades many dependencies, no significant changes or bugfixes
v0.13.1¶
- Adds
auto-clean
setting
v0.13.0¶
/dev/pts/ptmx
is created withptmxmode=0666
, which makes it suitable for creating ptys by unprivileged users. We always usednewinstance
option, so it should be safe enough. And it also matches howptmx
is configured on most systems by default
v0.12.1¶
- Added
image-dir-levels
parameter which allows using images in form ofxx/yy/zz
(for value of3
) instead of bare name
v0.12.0¶
- Fixed order of
sandbox-name.process-name
in metrics - Dropped setting
cantal-appname
(never were useful, because cantal actually uses cgroup name, and lithos master process actually has one)
v0.11.0¶
- Option
cantal-appname
added to a config - If no
CANTAL_PATH
present in environment we set it to some default, along withCANTAL_APPNAME=lithos
unlesscantal-appname
is overriden. - Added default container environment
LITHOS_CONFIG
. It may be used to log config name, read metadata and other purposes.