Rocket v1.6.0 发布了，此次发布Rocket安全性得以提升。提供了隔离防护，为每一个应用程序分配一个命名空间。具体改进如下：
- stage1: implement read-only rootfs (#2624). Using the Pod manifest readOnlyRootFS option mounts the rootfs of the app as read-only using systemd-exec unit option ReadOnlyDirectories, see appc/spec.
- stage1: capabilities: implement both remain set and remove set (#2589). It follows the Linux Isolators semantics from the App Container Executor spec, as modified by appc/spec#600.
- stage1/init: create a new mount ns for each app (#2603). Up to this point, you could escape the app’s chroot easily by using a simple program downloaded from the internet 1. To avoid this, we now create a new mount namespace per each app.
- api: Return the pods even when we failed getting information about them (#2593).
- stage1/usr_from_coreos: use CoreOS 1032.0.0 with systemd v229 (#2514).