Repeatr: Reproducible, hermetic Computation. Provision containers from Content-Addressable snapshots; run using familiar containers (e.g. runc); store outputs in Content-Addressable form too! JSON API; connect your own pipelines! (Or, use github.com/polydawn/stellar for pipelines!)
Security improvements from upstream. Fresh pass over config. (Mknod now more restricted. Not that we allow it at all except at fairly high powered policy levels.)
Looks like some interesting bugs in the old version of runc like caps not being granted correctly if we switched uids is probably going to be fixed by this, so that's exciting. Probably lots of good stuff like this.
Error handling updated... not thrilled with all of that code, but we seem to have it in a state that works. All the tests pass. Getting it there required doing some interesting new stuff with making stderr blocking. Hopefully that doesn't turn out to be too fragile (and hopefully upstream will make some better options available soon). (Previously our runc binary contained our own patches for that; now we're building upstream sources unmodified, thus requiring this new workaround.)
A NEW RUNC BINARY APPEARS
this one with a reproducible build from source...!! (See https://github.com/polydawn/formulary/commit/f37f636e2e9995def4b00a3c72a32675a85e763b .)
Security improvements from upstream. Fresh pass over config. (Mknod now more restricted. Not that we allow it at all except at fairly high powered policy levels.)
Looks like some interesting bugs in the old version of runc like caps not being granted correctly if we switched uids is probably going to be fixed by this, so that's exciting. Probably lots of good stuff like this.
Error handling updated... not thrilled with all of that code, but we seem to have it in a state that works. All the tests pass. Getting it there required doing some interesting new stuff with making stderr blocking. Hopefully that doesn't turn out to be too fragile (and hopefully upstream will make some better options available soon). (Previously our runc binary contained our own patches for that; now we're building upstream sources unmodified, thus requiring this new workaround.)