This is a major release that adds a number of important features and refinements. Most importantly, a new automated test harness that simulates various process mixes has been added to the release process to assure that Chaperone manages processes in a consistent and reliable way from release to release.
In addition, Chaperone now recognizes NOTIFY_SOCKET upon start-up, and will inform the host's systemd of the status of the container. This adds to Chaperone's existing support for notify-type processes within the container. This means that container designers can choose any of a number of methods of signalling process readiness inside the container while Chaperone will translate those actions into suitable systemd notifications for the host.
This version is completely backward-compatible with older Chaperone versions.
Enhancements:
- Chaperone will recognize the
NOTIFY_SOCKETenvironment variable if passed upon start-up and provide fullsystemdcompatible notifications to the host. - The detect_exit global setting, which defaults to
truetells Chaperone to attempt to determine when all processes have completed and automatically terminate the container. This was the previous default behavior, but the new setting provides flexibility for containers which remain dormant until processes are started manually. - There is now a
telchap shutdowncommand which provides orderly container shutdown from scripts. - Added the
sdnotify-executility which is a multi-purpose wrapper which can be used to proxyNOTIFY_SOCKETcommunication to the host, or can be used to determine if a container is properly started even outside ofsystemdcontexts.
Refinements:
- Exit detection is now smarter about
cronandinetdjobs and will not cause container exit if either of those types have scheduled operations which have not yet been triggered. - The --disable-services switch now truly disables services rather than not defining them. Therefore, containers in such containers can now be started manually.
- Cron-type services now have more well-defined behavior for
telchap stopwhich will unschedule the service, andtelchap resetwhich will merely kill the current job and reschedule another. - If Chaperone
notify-type services signal withERRNO=n, then Chaperone will intelligently pass this error number up tosystemdif the error was the direct cause of container termination, otherwise it is noted in the logs andsystemdwon't find out about it.
Enhancements:
- Both
uidandgidcan be specified using the path-format of the --create-user command-line switch.
Refinements:
- The
${ENV:-foo}expansion format now behaves likebashwhere 'foo' is the result if the variableENVis undefined or null (blank). Previously, it required that the variable be undefined. This behavior is now consistent throughout all expansion operators. - Improved the environment expansion code to handle outlying cases, as well as be signfiicantly more readable. Used coverage analysis to improve unit test coverage for complex expansions involving recursion.
Bug fixes:
- Newer versions of Python's
asyncio(present in some distros) could hang when starting an inetd-style socket process.
Enhancements:
- Add support for inetd-compatible dynamic TCP socket connections. See the description of the port configuration parameter for a complete description of this feature.
- Added _CHAP_SERVICE_SERIAL and _CHAP_SERVICE_TIME environment variables to provide useful information to 'cron' and 'inetd' services which may execute multiple times.
- Added the ability to add a
gidnumber to the path-based format of the --create-user command-line switch.
Bug Fixes:
- Fixed
telchap stopso that it no longer would cause service restarts to occur. - Improved the service restart logic to handle a wider variety of service failure situations.
Enhancements:
- Add support for --create-user name:/path so that user identity can be based upon the permissions set for a given path. This helps workaround the file permissions issues under OSX/VirtualBox where you can't really modify the mounted file permissions and instead "get what you get".
Enhancements:
- Add support for --archive/-a to envcp.
Refinements:
- Allow backslash-escaping of VBAR construct contents in environment variable if-then-else construct.
Refinements:
- Create a special-case syntax for shell escapes:
$(`shell-command`)mainly to assure that such syntaxes are propery supported instead of being expanded as a side-effect. Previously, the syntax above would treat the result of the command as the name of an environment variable, and since it was not found, would insert the results. Since it was a useful trick, formalizing the use and eliminating edge cases was important. - Disabled shell escapes by default in
envcpand added the--shell-enableswitch to enable them. - Added further documentation about shell escapes to clarify exactly how they work and how they should be used.
Enhancements:
- Added documentation for
envcpin the new utilities section of the documentation. - Enhanced environment-variable expansions so they are smart about nesting.
- Fixed syslog receiver so that trailing newlines are stripped (programs like
sudoandopenvpnterminate their log lines this way, even though it is a questionable practice).
Enhancements:
- Added the
:/regex substitution expansion option, which provides a more extensive and useful feature set than the bash-compatible options. - Updated the documentation to reflect the new expansion option and added a footnote about bash compatibility.
Enhancements:
- Added the
:?and:|environemnt variable expansion options. The first works similarly to bash and raises an error if a variable is not defined. The second adds more versatility to expansions by allowing the expansion to depend upon the particular value of a variable. - Added documntation for the above.
Bug Fixes:
- Made
setproctitlean optional install so that--no-install-recommendscan be used onapt-getinstalls to streamline image size (#1, @mc0e)
Other:
- PyPi distribution is no longer done in "wheel" format, since that limits the ability to include optional dependencies. Source format is used instead.