This release is mostly focused at fixing a few small bugs and implementing more restrictive security policies in containers.
An upgrade guide is available here.
New Features
- Configurable DNS servers in core configuration for docker containers.
- Bungeecord containers no longer spam up the console with ping information.
- Use
container:portin configuration files in place oflocalhostor127.0.0.1for local resolving (i.e. Bungeecord).
Bug Fixes
- If an environment variable is set to null don't even send it to the docker container. Fixes unset variable check bug for Spigot building.
- Fixed startup sequence to actually mark status as starting as well as prevent querying server until completely started.
Security
- Root filesystem in containers is now entirely read-only. Container applications can only write to
/home/containerand/tmp. - Prevent logging server output through docker logging methods. Fixes a potential DoS attack vector (and also saves space).
- Drops the following capabilities from containers:
setpcap,mknod,audit_write,chown,net_raw,dac_override,fowner,fsetid,kill,setgid,setuid,net_bind_service,sys_chroot,setfcapin addition to default dropped capabilities. - Containers are now in isolated networks and unable to directly connect to a container's specific IP address. The daemon will automatically create this network interface on boot.