Key changes include manifest changes related to policy server DB configuration, logging enhancements and testing related to data plane security.
We do not recommend using netman-release in production yet, but give it a try and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.
Verified with the following:
Significant Changes
Manifest Changes
Logging
- Log levels for vxlan-policy-agent are reconfigurable at runtime
- Logging for c2c iptables is reconfigurable at runtime
- Log levels for policy-server are reconfigurable at runtime
Security
- Move flannel state dir to something under /var/vcap
- As an attacker my containers can reach local addresses on the host VM
- Redact tokens/passwords in policy server log messages
Miscellaneous
- netman-release has a NOTICE file with license information
- Containers can be created while policy server is down and receive traffic when the policy-server comes back up
- Masquerade rule should be written by something other than vxlan-policy-agent
- SPIKE: Containers can connect to an IP address on the host