Releases: kontena/kontena
1.5.4
1.5.4-rc1
1.5.2
1.5.1
Note: Release of CLI installers stalled because SourceForge is in disaster recovery and the package builder can't download the libraries. There was no changes to CLI except the version number between 1.5.0 and 1.5.1.
Upgrade to 1.5.0 caused a crash loop if a grid with certificates was ever deleted. (#3312)
Changes
Master
- Remove orphaned certificates and fix crashing migration (#3313)
v1.5.0
Version 1.5 Highlights
Security Improvements
The Kontena Vault now uses a stronger key derived from the configured VAULT_KEY for encrypting vault secrets. The configured VAULT_KEY was previously truncated to the first 32 bytes, limiting the effective AES-CBC key strength to 128 bits for hexadecimal values, or 192 bits for base64-encoded values. Existing vault secrets will be re-encrypted using the stronger key on upgrade. (PR #3248 / Issue #3247
The Kontena Vault secrets are now encrypted using a random AES-CBC Initialization Vector (IV) that is randomized for each secret. The configured VAULT_IV was previously used as a static IV shared across all encrypted secrets, but is no longer required. Existing vault secrets will be re-encrypted using randomized IVs on upgrade. (PR #3184 / Issue #3183
A potential XSS vulnerability in the "kontena master login --remote" code display has been fixed. (#3223)
Options After Parameters
Commands that accept parameters now accept options also after the parameter. For example,
these commands did not work before:
$ kontena stack deploy example-stack --help
ERROR: too many arguments
$ kontena stack rm example-stack --force
ERROR: too many arguments
Note that if you need to use something that looks like an option as a parameter you need to use the
common double dash -- option break indicator:
$ kontena master ssh -- ls -al
ERROR: Unrecognised option '-l'
$ kontena master ssh -- ls -al
$ kontena vault write -- SECRET --secret-password--
Kontena Stack Registry V2 API And The New 'meta' Fields
While mostly invisible to the end-user, the CLI stack registry API client is now using
the completely rewritten stack registry and the V2 JSON-API it offers. The registry
supports GZip responses, private stacks, server-side stack YAML validation and parsing
of the new top level 'meta:' fields.
The meta fields can be used to add extra information to stacks published in the registry.
You can find the full set of accepted metadata fields in the pull request #3219 description.
As the CLI HTTP client now supports gzip compressed responses, we have also added the option
to enable compression in the Kontena Master API. To enable, set KONTENA_SERVER_GZIP=true
in the Master environment.
Drop Support For Ruby 2.1, Build Installer With Embedded Ruby 2.5.0
As Ruby 2.1 branch has been out of development for almost a year now, it's time to upgrade
if you already didn't.
The MacOS Kontena CLI installation package is now bundled with Ruby version 2.5.0
Ruby 2.2 is nearing its EOL at the end of March 2018.
Process Multiple Items In One Command
Many of the subcommands can now accept a list of items instead of just one. This is handy in
shell scripts and one-liners, for example:
$ kontena vault ls -q | xargs kontena vault rm --force
$ kontena vault rm --force $(kontena vault ls -q)
Master Authentication Token Descriptions
You can now add descriptions to the master authentication tokens:
$ kontena master token create -e 0 --description "deploy key"
$ kontena master token ls
ID TOKEN_TYPE TOKEN_LAST4 EXPIRES_IN SCOPES DESCRIPTION
5a8c275351d1a1001566a4ef bearer f539 never user deploy key
Health Check
The agent now uses the port in health check definition when configuring the load balancer. (PR #3113 / Issue #1709)
Example configuration:
health_check:
protocol: http
uri: /
port: 8000
The health check will now consider HTTP 3XX status codes as healthy. (PR #3265 / Issue #1790)
Logging Container Crashes
It was previously not possible to see if a container restarted because it crashed or if it was intentional and caused by for example a deploy or a manual restart. (#3286)
2018-02-16T14:43:26.731698302Z container die 9d21e309419ffbd32d75ab4bf544baf4deefb491934a762fc88b5c34a3071a52 (exitCode=137...)
Service Affinities
When scheduling a service with an affinity like service==api affinity, only the bare service names were previously matched without considering their stack scope. If multiple stacks had identically named services that match the affinity filter, then all of those external services would have been considered as matching candidates. (PR #2967 / Issue #2911)
You can now set the stack scoped affinity as service==stack/api.
The affinity filters can now also include regular expressions such as node!=/^node-(2|3)$/. (PR #3099 / Issue #2909)
Daemon Strategy Node Stickiness
When a service has been deployed using the daemon strategy and a node goes offline, the scheduler now keeps the existing instances on the nodes they were running on already. (#3137)
| Node | All Online | Node 2 Offline Before 1.5 | Node 2 Offline With Kontena 1.5 |
|---|---|---|---|
| 1 | instance-1 | instance-1 | instance-1 |
| 2 | instance-2 | ||
| 3 | instance-3 | instance-2 | instance-3 |
| 4 | instance-4 | instance-3 | instance-2 |
Let's Encrypt Certificate Challenges
The Kontena Let's Encrypt certificate integration now supports http-01 challenges as a replacement for the disabled tls-sni-01 challenges. (PR #3212 / Issue #3209)
Changes
Agent
- Add health check port to LB configs (#3113)
- Add Agent Watchdog supervisor to agent (#3135)
- Fix agent ServicePodWorker to ignore stale container events (#3259)
- Change agent health check to accept HTTP 3xx as healthy (#3265)
- Log container healthcheck errors (#3284)
- Log service:instance_exit event on container crashes (#3286)
- Fix agent to unregister LB service backends earlier during container shutdown (#3287)
- Fix agent container log dropping entries when queue size exactly matches the throttle limit (#3288)
Agent + Server
- Use GridService revision for service/container updates (#2371)
- Improve agent ServicePodWorker container restart handling (#2780)
Server
- Remove server AsyncHelper#async_thread (#2786)
- Fix service affinity filters to be stack-scoped (#2967)
- Cap stack/service deploy collections (#3041)
- Deploy tls-sni challenge certs as separate SSL_CERT_acme_challenge_* envs (#3076)
- Support regex in affinity filters (#3099)
- Remove dependant service logic (#3100)
- Validate tls-sni domain authorization linked service port (#3132)
- Enhance daemon strategy to implement node stickiness (#3137)
- Use random initialization vector (#3184)
- Fix server certificate domain verification request error handling (#3186)
- Add cleaner job for old deployments (#3191)
- Remove deprecated GridServiceHealthMonitorJob (#3202)
- Resolve notification message receivers properly when grid is deleted (#3214)
- Fix server Celluloid::Proxy::Async leak from RPC /container/health handler (#3217)
- Fix server MongoPubsub to restart subscriptions after crashing (#3218)
- Fix potential XSS vulnerability in master remote login code display (#3223)
- Enable server API gzip encoding when KONTENA_SERVER_GZIP=true (#3241)
- Server: Derive stronger SymmetricEncryption key from the configured VAULT_KEY (#3248)
- Change GridService.stop_grace_period to Integer (#3275)
- Upgrade server api-docs build system nokogiri to 1.8.2 (#3309)
Server + CLI
- Make --email optional in external-registry add (#3055)
- Add description field to master authentication access tokens ([#3211](https://github.c...
v1.5.0.rc1
Release 1.5.0 RC1
v1.5.0.pre5
Bump to 1.5.0.pre5
v1.5.0.pre4
Bump to 1.5.0.pre4
v1.5.0.pre3
Bump to 1.5.0.pre3
v1.5.0.pre2
Bump to 1.5.0.pre2