Bug fixes in this release:
-
Official docker container will now run as non-root user (#210):
This improves the security of our official container and was requested by several users. -
Use fixed clone path for containerized opal server (#211):
This solves a race condition we observed in some kubernetes environments. If the leader worker is killed - the next leader will pick a different clone directory and will reclone the git repo. Due to the time it takes to clone a git repo this creates a race with policy bundle requests that issue agit diff-treecommand to a non-cloned repo and will cause exceptions. The new fixed version will not used a randomized clone directory if running inside docker (the official docker container sets this behavior with a new config var:OPAL_POLICY_REPO_REUSE_CLONE_PATH
NOTICE:
Some power users of OPAL are know to mount paths from the container to the external filesystem. For these users, please be aware that you might need to fix your mount paths from /app/… to /opal/… which is now the WORKDIR in the new official image (was / in the old image). Check out OPAL's Dockerfile to see if you are affected. Since this is an implementation detail of OPAL we do not consider this a breaking change. No public or otherwise documented APIs are changed by this release.
All praise to @roekatz for his great work on this release!