rktv 1.5.0 发布了，Rocket （也叫 rkt）是 CoreOS 推出的一款容器引擎，和 Docker 类似，帮助开发者打包应用和依赖包到可移植容器中，简化搭环境等部署工作。Rocket 和 Docker 不同的地方在于，Rocket 没有 Docker 那些为企业用户提供的“友好功能”，比如云服务加速工具、集群系统等。反过来说，Rocket 想做的，是一个更纯粹的业界标准。
- stage1: replace appexec with pure systemd (#2493). Replace functionality implemented in appexec with equivalent systemd options. This allows restricting the capabilities granted to apps in a pod and makes enabling other security features (per-app mount namespaces, seccomp filters…) easier.
- stage1: restrict capabilities granted to apps (#2493). Apps in a pod receive now a smaller set of capabilities.
- rkt/image: render images on fetch (#2398). On systems with overlay fs support, rkt was delaying rendering images to the tree store until they were about to run for the first time which caused that first run to be slow for big images. When fetching as root, render the images right away so the first run is faster.
- kvm: fix mounts regression (#2530). Cause – AppRootfsPath called with local “root” value was adding stage1/rootfs twice. After this change this is made properly.
- rkt/image: strip “Authorization” on redirects to a different host (#2465). We now don’t pass the “Authorization” header if the redirect goes to a different host, it can leak sensitive information to unexpected third parties.
- stage1/init: interpret the string “root” as UID/GID 0 (#2458). This is a special case and it should work even if the image doesn’t have /etc/passwd or /etc/group.