github dunglas/mercure v0.23.5
on GitHub

4 hours ago

A small but important patch release that closes the two known issues we documented in v0.23.4. Hubs that drop ALL capabilities now exec cleanly without the binary's file capability tripping the kernel's bounding-set check, and the chart's /data path is always mounted so any Caddy module that writes under caddy.AppDataDir() (notably rate_limit) works under readOnlyRootFilesystem: true out of the box. With v0.23.5 you can drop every capability, mount nothing extra, and the chart just works.

🐛 Bug Fixes

  • Helm: Mount /data unconditionally (emptyDir when persistence is off, PVC when on). Fixes pods crashing with read-only file system when readOnlyRootFilesystem: true and a Caddy module needs to write under /data (e.g. rate_limit writing its instance UUID to /data/caddy/instance.uuid). Previously /data only mounted when persistence.enabled: true, which forced PVCs on every Redis/Postgres/Kafka/Pulsar deployment that wanted a hardened rootfs by @dunglas in #1233
  • Docker: Drop the RUN setcap cap_net_bind_service=+ep /usr/bin/caddy line. Modern container runtimes (containerd 1.5+, cri-o, Docker 20.10+) set net.ipv4.ip_unprivileged_port_start=0 inside the container, so any unprivileged process can bind any port without that capability. The setcap was load-bearing on older runtimes but moot today, and the file capability collided with restrictive Kubernetes securityContexts that drop ALL capabilities: the kernel refuses to exec a binary whose file permitted caps are not a subset of the process's bounding set, so drop: [ALL] without a matching add crash-looped pods with exec /usr/bin/caddy: operation not permitted. Removing setcap removes that footgun by @dunglas in #1234

📖 Documentation

  • Helm and install.md: Update the rootless deployment example to recommend the simplest config (drop ALL caps, run non-root, RO rootfs, no targetPort tweak). service.targetPort: 8080 stays documented as a fallback for older runtimes where ip_unprivileged_port_start is still 1024. Bundled into #1234.

Mercure Cloud tenants are already running on this release, because we manage the cluster on their behalf, alongside the production transports (Redis, Kafka, Pulsar, Postgres) and an SLA-backed managed offering. Mercure Enterprise brings the same hardening on-premise plus the HA transports and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.4...v0.23.5

Check out latest releases or
releases around dunglas/mercure v0.23.5

Don't miss a new mercure release

NewReleases is sending notifications on new releases.

Get notifications