debian/changelog

yandex-porto (5.3.15) unstable; urgency=low

  [ Lev Pantyukhin ]
  * portodshim: add README.md

  [ Dmitry Yakunin ]
  * portodshim: set limits on containers too
  * ci: add example of using update_tar_bases.sh with script

  [ Lev Pantyukhin ]
  * portodshim: add default metadata labels and add nil checks in prepareContainerNetwork
  * porto: enable image removing using ID

 -- Lev Pantyukhin <kndrvt@yandex-team.ru>  Fri, 20 Jan 2023 12:23:10 +0300

yandex-porto (5.3.14) unstable; urgency=low

  * docker: fix bug with new tag addition

 -- Lev Pantyukhin <kndrvt@yandex-team.ru>  Thu, 12 Jan 2023 17:52:47 +0300

yandex-porto (5.3.13) unstable; urgency=low

  [ Dmitry Yakunin ]
  * docker: image storage restructurization
  * memory: add config option to make a gap between max and high limits

  [ Lev Pantyukhin ]
  * Revert "storage: add logs to ImportArchive"
  * storage: log time of waiting a slot for place load
  * cgroup: log infinity loop in AttachAll

 -- Lev Pantyukhin <kndrvt@yandex-team.ru>  Fri, 30 Dec 2022 14:18:00 +0300

yandex-porto (5.3.12) unstable; urgency=low

  [ Dmitry Yakunin ]
  * README: add g++
  * cpu: fix jail usage calculation on node -> node + jail cpu_set switching

  [ Lev Pantyukhin ]

 -- Lev Pantyukhin <kndrvt@yandex-team.ru>  Wed, 23 Nov 2022 14:00:33 +0300

yandex-porto (5.3.11) unstable; urgency=low

  * release-porto: fix
  * portodshim: update porto in go.mod and go.sum
  * portodshim: fix build

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 22 Nov 2022 10:29:35 +0300

yandex-porto (5.3.10) unstable; urgency=low

  [ Dmitry Yakunin ]
  * portodshim: fix ExecSync timeout and exit_code handling

  [ Lev Pantyukhin ]
  * portodshim: fix stderr with tty
  * portodshim: add path skipping in prepareContainerMounts
  * docker: fix image fullname for DockerImageNotFound
  * container: recalculate cpu_guarantee_bound when cpu_guarantee is applying
  * portodshim: refactor logs
  * storage: fix Storage::List for DockertLayer without blobs directory
  * docker: change porto_docker and images directory owner
  * api: refactor golang api for cpu optimization

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 21 Nov 2022 21:32:58 +0300

yandex-porto (5.3.9) unstable; urgency=low

  [ Dmitry Yakunin ]
  * release-porto: add sync_upstream subcommand
  * api: go: add spec api methods
  * portodshim: use UpdateSpec request to set command_argv
  * api: change TDockerImage command and env fields to arrays
  * portodshim: update porto in go.mod

  [ Lev Pantyukhin ]
  * portodshim: disable lumberjack logrotate

  [ Dmitry Yakunin ]
  * container: add SYS_NICE to bounding set if rt_priority is enabled in config

  [ Lev Pantyukhin ]
  * portodshim: change registry authentication to k8s secrets

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 10 Nov 2022 23:22:31 +0300

yandex-porto (5.3.8) unstable; urgency=low

  [ Lev Pantyukhin ]
  * portodshim: disable logshim in Exec()

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 03 Nov 2022 19:57:04 +0300

yandex-porto (5.3.7) unstable; urgency=low

  [ Anton Suvorov ]
  * portodshim: normalize container paths for volumes
  * portodshim: use command_argv for porto
  * portodshim: add logshim prototype

  [ Dmitry Yakunin ]
  * container: increase max label value size to 65536
  * portodshim: always unlink volume from the root container

  [ Anton Suvorov ]
  * portodshim: resolve cmd absolute path in containers
  * porodshim: implement ExecSync() API

  [ Lev Pantyukhin ]
  * storage: add logs to ImportArchive
  * portodshim: add Exec() prototype
  * portodshim: refactor mappers and streaming

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 03 Nov 2022 19:15:51 +0300

yandex-porto (5.3.6) unstable; urgency=low

  [ Lev Pantyukhin ]
  * debian: restart portodshim service after install

  [ Stanislav Ivanichkin ]
  * portodshim: pass network limits through annotations

  [ Dmitry Yakunin ]
  * portodshim: add registries config
  * http: return status as errno in errors
  * docker: allow to customize docker registry auth path
  * test: fix label test

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 28 Oct 2022 23:27:57 +0300

yandex-porto (5.3.5) unstable; urgency=low

  [ Lev Pantyukhin ]
  * portodshim: increase max id length
  * volume: restrict system path as volume path and change path to default at portodshim mount volumes
  * portoctl: add Storage to volumes listing

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 25 Oct 2022 12:41:21 +0300

yandex-porto (5.3.4) unstable; urgency=low

  [ Lev Pantyukhin ]
  * portodshim: fix pod or container id length
  * docker: fix quotes at image command

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 18 Oct 2022 00:15:01 +0300

yandex-porto (5.3.3) unstable; urgency=low

  [ Lev Pantyukhin ]
  * volume: allow bind file as volume
  * test: add file binding case to mount test
  * volume: allow non-directory path for file binding
  * network: allow sysctl with netns
  * volume: fix path for file binding

  [ Dmitry Yakunin ]
  * common: increase label max length to 4096
  * volume: relax overlap check for bind volumes

  [ Stanislav Ivanichkin ]
  * allowed mount files
  * check error on set label props
  * Supported resolv_conf, sysctl properties
  * fixed comment

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 17 Oct 2022 16:33:20 +0300

yandex-porto (5.3.2) unstable; urgency=low

  [ Dmitry Yakunin ]
  * volume: allow system directories for root

  [ Lev Pantyukhin ]
  * quota: add vcheck call response

  [ Stanislav Ivanichkin ]
  * portodshim: added support Mounts spec at pod/container start * pass command args to container * pass env to container * fixed labels for Container * split CreateContaoner and RunPodSandbox funcs into few small funcs (prepareContainer*)
  * allow run pods without net if cni wasn't initialized
  * pass cpu/memory_limit to pod
  * save imageName variable for reusing it
  * don't use commnd's args from spec if command wasn't defined
  * deleted main
  * fixed logging * fixed loggind in PodSandboxStatus * pass exsisted logpath to io.kubernetes.container.logpath
  * checking if a variable not nil in prepare* funcs
  * checking if a variable not nil in prepare* funcs
  * pass args to command even thought command wasn't in spec

  [ Dmitry Yakunin ]
  * docker: fix duplicate layers handling
  * http: support redirect to the same host

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 13 Oct 2022 15:20:31 +0300

yandex-porto (5.3.1) unstable; urgency=low

  [ Lev Pantyukhin ]
  * portodshim: init commit
  * portodshim: add draft of container manipulation methods
  * portodshim: add draft of pod manipulation methods
  * portodshim: add draft of image mapper
  * portodshim: add image manipulation methods
  * portodshim: add Statuses and Stats
  * portodshim: add porto connection per request via GRPC interceptor and refactor modules
  * portodshim: add volume with image to container and image parsing
  * portodshim: add debug logs and other API version
  * portodshim: labels and annotations
  * portodshim: set labels at one request and fix container status

  [ Stanislav Ivanichkin ]
  * portodshim: temporary use tag as a RuntimeApiVersion

  [ Lev Pantyukhin ]
  * portodshim: add hostname and ip
  * portodshim: add some stubs

  [ Stanislav Ivanichkin ]
  * portodshim: list containers only with namespace label

  [ Lev Pantyukhin ]
  * portodshim: add command and using kill instead of stop for containers
  * portodshim: add metadata getting and simple filter in ListPodSandbox
  * portodshim: add filtering to ListContainers, add system namespaces skipping and add labels/annotations in Stats
  * portodshim: split name and id
  * portodshim: add labels filtering
  * portodshim: modify id length
  * portodshim: add ListPodSandboxStats
  * portodshim: add LogPath in ContainerStatus
  * portodshim: remove porto.go and add remote module dependency
  * portodshim: refactor image and runtime mapper with new go api
  * portodshim: remove methods from struct PortodshimRuntimeMapper
  * portodshim: remove methods from struct PortodshimImageMapper

  [ Stanislav Ivanichkin ]
  * portodshim: added cni support

  [ Lev Pantyukhin ]
  * debian: add portodshim package
  * portodshim: add log rotate

  [ Dmitry Yakunin ]
  * portodshim: allow to work without cni configuration
  * ci: add update_tar_bases script
  * ci: update base tars with golang 1.19.2
  * portodshim: set go cache to /tmp
  * ci: use arc in sandbox_task

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 07 Oct 2022 17:33:46 +0300

yandex-porto (5.3.0) unstable; urgency=low

  [ Lev Pantyukhin ]
  * container: container doesn't start parents if client is portod
  * property: add io_read_ops and io_write_ops as division of io_ops
  * stream: fix checks in SetInside

  [ Dmitry Yakunin ]
  * network: use MeasuredMutex-es, better error handling
  * docs: add kndrvt to the AUTHORS

  [ Maxim Samoylov ]
  * test: fix self-container test stability issue
  * test: restart portod on each test case
  * test: make tests compatible with focal
  * test: make tests more stable

  [ Lev Pantyukhin ]
  * property: add net_snmp6 property

  [ Dmitry Yakunin ]
  * ci: disable precise build

  [ Lev Pantyukhin ]
  * api: add rpc.pb.go updating, split rpc package from porto package, resolve conflicts
  * api: fix go module name

  [ Dmitry Yakunin ]
  * ci: disable trusty build
  * all: add experimental docker images support
  * build: disable go api building by default
  * build: enable openssl by default
  * ci: enable openssl

  [ Lev Pantyukhin ]
  * docker: fix docker pull for k8s.gcr.io

  [ Stanislav Ivanichkin ]
  * api: Allow set target property in LinkVolume call

  [ Lev Pantyukhin ]
  * storage: remove /usr/sbin/portoctl excluding during layer exporting
  * docker: replace docker.io to registry-1.docker.io as registry
  * docker: reverse order of image layers

  [ Dmitry Yakunin ]
  * task: fix typo

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 19 Sep 2022 12:55:45 +0300

yandex-porto (5.2.8) unstable; urgency=low

  [ Lev Pantyukhin ]
  * network: add ability to disable l3stat watchdog via period
  * volume: modify InsecureUserPaths matching
  * stream: set placed after checks in SetInside

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 14 Jun 2022 14:53:53 +0300

yandex-porto (5.2.7) unstable; urgency=low

  * portoctl: fix static build on focal
  * filesystem: temporary disable portoctl binding into container

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 25 May 2022 23:48:54 +0300

yandex-porto (5.2.6) unstable; urgency=low

  * build: make portoctl static

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 23 May 2022 12:05:42 +0300

yandex-porto (5.2.5) unstable; urgency=low

  * test: add test for bind portoctl with root_readonly
  * cpu: check nested jail in children

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 17 May 2022 19:50:04 +0300

yandex-porto (5.2.4) unstable; urgency=low

  * filesystem: create portoctl file before remounting root to ro

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 16 May 2022 16:01:04 +0300

yandex-porto (5.2.3) unstable; urgency=low

  * filesystem: bind portoctl read only
  * util: fix StringMatch

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 16 May 2022 13:33:00 +0300

yandex-porto (5.2.2) unstable; urgency=low

  [ Lev Pantyukhin ]
  * volume: fix comment
  * porto.md: fix typo
  * portoctl: exec has command default value is /bin/bash
  * porto: move fds closing before directory chanhing to cwd
  * porto: change memory cgroup to container name in layer importing

  [ Maxim Samoylov ]
  * network: fix veth device leakage on failed ifup script

  [ Dmitry Yakunin ]
  * ci: reduce cores requirement
  * property: add net_rx_overlimits property

  [ Lev Pantyukhin ]
  * porto: add portoctl binding with porto.socket
  * config: change default value of insecure_user_paths config
  * volume: remove write access check for layers

  [ Dmitry Yakunin ]
  * config: rework insecure_user_paths to list of allowed paths

  [ Lev Pantyukhin ]
  * property: add cpu_burst_usage and cpu_unconstrained_wait properties for portotop

  [ Dmitry Yakunin ]
  * cpu: fix dynamic jail change on container with cpuset enabled children
  * property: fix build on aarch64
  * cpu: fix endless loop in ApplySchedPolicy

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 10 May 2022 15:09:17 +0300

yandex-porto (5.2.1) unstable; urgency=low

  [ Lev Pantyukhin ]
  * property: refactor code

  [ Dmitry Yakunin ]
  * property: add memory lock policy property for container memory cgroup

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 21 Mar 2022 12:52:19 +0300

yandex-porto (5.2.0) unstable; urgency=low

  [ Dmitry Yakunin ]
  * portoctl: remove offensive comment

  [ Lev Pantyukhin ]
  * portoctl: decrease necessary arguments count of run command
  * portoctl: add ability to use "=" in set command

  [ Dmitry Yakunin ]
  * cpu: add cpu_limit_scale config option

  [ Lev Pantyukhin ]
  * network: add sysctl net.ipv6.icmp.ratemask

  [ Maxim Samoylov ]
  * container: fixup nosmt peculiarities

  [ Lev Pantyukhin ]
  * api: add memory cgroup parameter into ImportLayer
  * porto: add cgroup for import layer to python api, portoctl, and tests
  * api: rename cgroup to memory cgroup in layer importing call
  * test: fix import layer cgroup test
  * porto: fix layer building from docker layers
  * porto: remove merge flag in TStorage::SanitizeLayer

  [ Dmitry Yakunin ]
  * cpu: add proportional_cpu_shares config option

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 11 Mar 2022 23:43:42 +0300

yandex-porto (5.1.9) unstable; urgency=low

  [ Lev Pantyukhin ]
  * porto: add additional meta or running check in TContainer::StartParents

  [ Maxim Samoylov ]
  * network: introduce network_ifup_script invocation on L3 net setup
  * container: introduce container cpu_policy nosmt

  [ Dmitry Yakunin ]
  * api: python: fix exception message in python3
  * porto: add vcheck to check volume
  * network: fix rx qdisc deleting

  [ Anton Suvorov ]
  * Fail network configuration if helper script fails

  [ Lev Pantyukhin ]
  * porto: CgroupCleanup with cgroupfs doesn't delete container cgroup children

  [ Maxim Samoylov ]
  * network: fix methods naming ambiguity
  * client: allow recursive read-only connections
  * portod: convert signalfd exit status to waitpid format

  [ Dmitry Yakunin ]
  * tests: fix security test

  [ Maxim Samoylov ]
  * test: add essential net-ifup testcase

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 17 Feb 2022 11:05:42 +0300

yandex-porto (5.1.8) unstable; urgency=low

  [ Dmitry Yakunin ]
  * cpu_set: fix resetting jail on stopped container
  * cpu_set: correctly set vacant cpus in jail

  [ Lev Pantyukhin ]
  * api: python: rename RemoveLayer param 'async' to 'asynchronous'

  [ Dmitry Yakunin ]
  * net: change default container qdisc to pfifo_fast

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 18 Jan 2022 00:04:09 +0300

yandex-porto (5.1.7) unstable; urgency=low

  * Revert "property: add bind_socket property"

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 28 Dec 2021 18:28:04 +0300

yandex-porto (5.1.6) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: enable capabilities[SYS_ADMIN] in extra_properties

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 20 Dec 2021 17:53:04 +0300

yandex-porto (5.1.5) unstable; urgency=low

  [ Dmitry Yakunin ]
  * Revert "blkio: fix disk resolving from client container"
  * blkio: fix disk resolving from client chroot with leading dot

  [ kndrvt ]
  * portotop: fix sorting of values in cores
  * git: add .idea to .gitignore

  [ Dmitry Yakunin ]
  * property: add bind_socket property
  * porto: rework cpu_set jail

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 16 Dec 2021 12:03:02 +0300

yandex-porto (5.1.4) unstable; urgency=low

  * blkio: fix disk resolving from client container

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 08 Nov 2021 14:41:23 +0300

yandex-porto (5.1.3) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * portoctl-pull-sandbox: allow to use zst layers
  * porto: add cpu_set = jail
  * portoctl-pull-sandbox: print start command with enable_porto=isolate
  * property: link memory with blkio for cgroup writeback

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 25 Oct 2021 12:20:11 +0300

yandex-porto (5.1.2) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * core: catch cores from child cgroups from container with cgroupfs=rw

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 28 Sep 2021 15:52:56 +0300

yandex-porto (5.1.1) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * property: fix restore for cgroupfs with virt_mode=os and EnableOsModeCgroupNs=true
  * filesystem: mount RO net cgroups by default for cgroupns=rw
  * porto: fix chown devices for userns after portod reload

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 15 Sep 2021 14:32:04 +0300

yandex-porto (5.1.0) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * property: add total_writeback to io_write property
  * porto: fix copyright
  * test: make selftest more stable
  * network: enable extra routes by default for L3 network
  * porto: do not create netns when virt_mode=fuse and net inherited
  * porto: stop importLayer if client disconnected
  * porto: add async RemoveLayer
  * container: set memory.numa_balance_vmprot for containers with memory controller and chroot and cpuset='node ...'

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 06 Sep 2021 16:15:44 +0300

yandex-porto (5.0.34) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * network: fix shared ptr leak

 -- max7255 <max7255@max7255-nix>  Mon, 16 Aug 2021 17:52:07 +0300

yandex-porto (5.0.33) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: fix security and disable pull-sandbox

  [ Dmitry Yakunin ]
  * network: allow tcp_fwmark_accept sysctl

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 13 Aug 2021 12:54:29 +0300

yandex-porto (5.0.32) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * api: small fixes for async waiter
  * api: fixes for async waiter
  * test: make net_sched more stable
  * test: make retriability test more stable

  [ Dmitry Yakunin ]
  * util/path: add Lchown and ChownRecursive (with filter) helpers
  * container: more user namespace logic
  * property: add resolv_conf to allowed extra properties
  * volume: allow suid binaries in linked volumes

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 12 Aug 2021 12:50:00 +0300

yandex-porto (5.0.31) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * ci: use more cores for tests
  * network: take lock before delete qdisc from L3 device on host
  * api: add AsyncWaiter for make async wait simpler
  * portoctl: add portoctl sandbox-pull command for download typical base layers
  * container: do not enable net_cls controller by default test: disable tests with tc classes

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 30 Jul 2021 15:23:54 +0300

yandex-porto (5.0.30) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: rework extra_properties format
  * network: enable tx burst like rx
  * porto: check that cgroupns supported, before use
  * api: remove unused option
  * network: take lock in NetWatchDog only if needed
  * network: add network high precision speed statistics

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 20 Jul 2021 17:10:02 +0300

yandex-porto (5.0.29) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: disable tests for net_classes.
  * test: make oom and security tests more stable
  * stream: return error if inode of fd changed
  * stream: return error if client process changed and we try to open it's fd

  [ Dmitry Yakunin ]
  * property: fix error message

  [ Alexander Kuznetsov ]
  * core: disable write access to portod core container
  * portotop: add containers filter
  * ci: recreate pbuilder focal layer
  * porto: link portoctl and portoctl-top with pthread

  [ amich ]
  * container: report invalid state name on kill

  [ Alexander Kuznetsov ]
  * porto: add cgroupfs property
  * portoctl: fix ip='veth auto'
  * filesystem: chmod cgroupfs with 777 if cgroupfs=rw Signed-off-by: Alexander Kuznetsov wwfq@yandex-team.ru Link: https://st.yandex-team.ru/PORTO-870

  [ Dmitry Yakunin ]
  * build: remove pedantic flag, treat warnings as errors, fix all warnings
  * cred: use common mapping for userns
  * property: add userns

  [ Alexander Kuznetsov ]
  * porto: add extra_properties option to config

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 01 Jul 2021 18:09:18 +0300

yandex-porto (5.0.28) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: make security and net-sched more stable
  * stream: check client start time in OpenOutside to prevent pid reusing
  * porto: check that inode of std stream do not changed between set and start container
  * test: make tests more stable
  * porto: add owner_containers property

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 09 Jun 2021 17:23:57 +0300

yandex-porto (5.0.27) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * network: copy shared ptr of HostNetwork when update host network stats

  [ Oleg Senin ]
  * test-net-sched: add test for RetransSegs

  [ Alexander Kuznetsov ]
  * porto: store more logs
  * client: not root user that non-matching owner can not manipulate containers even if client is member of "<client username>-containers" groups
  * client: not root user that non-matching owner can not manipulate containers even if client is member of "porto-containers" groups
  * network: do not store HostPeerIndex. Use link index from veth device for setup rx limits

  [ Maxim Samoylov ]
  * porto: fix some portability issues

  [ Alexander Kuznetsov ]
  * stream: add more logs at error in OpenOutside. Temporarily make an error not strict

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 07 Jun 2021 13:13:00 +0300

yandex-porto (5.0.26) unstable; urgency=low

  [ Dmitry Yakunin ]
  * fix porto.md

  [ Alexander Kuznetsov ]
  * ci: split tests into 8 parts
  * portotop: add options to show only cpu/memory/net/io/porto stat columns
  * task: do not close porto socket pair on configure child

  [ Oleg Senin ]
  * network: add stats from /proc/net/snmp

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Thu, 27 May 2021 10:16:16 +0300

yandex-porto (5.0.25) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * man: add extra_routes

  [ Dmitry Yakunin ]
  * debian: service: set TimeoutStartSec to 360

  [ Alexander Kuznetsov ]
  * network: fix net_rx_limit to work on running container
  * porto: resolve client container by cgroup v2 if enabled
  * porto: do not Identify Client on request. Identify once at connecting
  * test: split tests into 4 parts
  * task: do not Abort on error in ConfigureChild
  * porto: close unused fds before open std streams inside
  * porto: identify client by pid and inode of /proc/pid

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 21 May 2021 13:12:53 +0300

yandex-porto (5.0.24) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: join into parent user ns on start
  * porto: do not disconnect clients on request processing on upgrade/reload
  * porto: fix some compiller warnings
  * porto: kill imports after timeout on reload

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 12 May 2021 00:21:04 +0300

yandex-porto (5.0.23) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * quota: set FS_XFLAG_PROJINHERIT only for dirs

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 23 Apr 2021 18:31:35 +0300

yandex-porto (5.0.22) unstable; urgency=low

  [ Dmitry Yakunin ]
  * release: add pypi target

  [ Anton Suvorov ]
  * do not reload portod if running under hostmanager

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 21 Apr 2021 17:49:00 +0300

yandex-porto (5.0.21) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: do not remove CAP_NET_ADMIN in chroot if ip_limit is set

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 16 Apr 2021 11:54:18 +0300

yandex-porto (5.0.20) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * volume: do not ignore mkdir error on LinkVolume
  * property: fix GetProperty for virt_mode=fuse
  * ci: take more cores and ram in sandbox tasks for tests

  [ Nikita Vetoshkin ]
  * minor: fix misprint in error message

  [ Alexander Kuznetsov ]
  * porto: fix vulnerability and add test        do not use wildcards on exports

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Mon, 12 Apr 2021 13:20:22 +0300

yandex-porto (5.0.19) unstable; urgency=low

  * UNRELEASED

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 02 Apr 2021 17:22:42 +0300

yandex-porto (5.0.18) unstable; urgency=low

  * UNRELEASED

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 02 Apr 2021 17:22:34 +0300

yandex-porto (5.0.17) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * client: print info for read only connections
  * network: not allow '..' in net namespace path
  * filesystem: leave to host mount ns, if cannot chdir in container ns
  * container: add test for cpuset.mems and fix bug
  * porto: default devices='/dev/fuse rw' for virt_mode=fuse
  * porto: print /proc/pid/status and /proc/pid/stack for busy tasks if we cannot remove cgroups
  * error: more errors for ImportLayer with verbose=true. show PortodUpgraded error if porto upgraded on request if EnablePortodShutdownError for client == true
  * test: add timeouts for tests
  * string: fix typo. int must be double
  *     network: set rx limit for mtn as tx limit on host peer

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 02 Apr 2021 17:22:28 +0300

yandex-porto (5.0.16) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * ci: build porto on branch for all platforms
  * fix: at the start, we could change global errno when changing the local errno

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 03 Mar 2021 11:05:27 +0300

yandex-porto (5.0.15) unstable; urgency=low

  [ Alexander Kuznetsov ]
  *     ci: fix build for precise
  * task: start task in user namespace with direct mapping if userns_mode equal true

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 02 Mar 2021 18:59:31 +0300

yandex-porto (5.0.14) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: wait oom-s for more time
  * stream: do not block when open fifo pipe for read
  * task: add more logs at container start. Add stat for start timeouts
  * portoctl: add more randomness to ip = auto
  * statistics: reset porto_stats on portod clearstat [stat]

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 24 Feb 2021 15:39:58 +0300

yandex-porto (5.0.13) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * cgroups: remove backward compatibility for perf_event cgroup
  * container: do not load cgroup2 and perf_event controllers for virt_mode=job container
  * Commit af911e87ac2871478417ddab7ebdf05dbf2c9922 upstream Commit af14b341c6ec73c3b5faefb567ffcbe1aa021870 upstream

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Fri, 29 Jan 2021 10:59:43 +0300

yandex-porto (5.0.12) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * property: check that Net is not nullptr before use

  [ Roman Anufriev ]
  * python_api: pass container instead of path to _ListVolumes from ListVolumes

  [ Alexander Kuznetsov ]
  * portoctl: enable ip='dev auto [prj_id] for net='L3 ...'
  * rpc: change max_respawns in spec from uint64 to int64
  * spec: return error in TContaner when we can not lock it or can not find

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 27 Jan 2021 12:52:56 +0300

yandex-porto (5.0.11) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * spec: do not pass error on creating container test: check fatals after tests
  * test: split tests into 8 parts
  * spec: lock container before undo in CreateFromSpec,       lock container before Dump in ListContainersBy,
  * ci: update tarball resources test: split tests into 8 parts
  * ci: use pbuilder tarballs with installed packages for build porto
  * filesystem: mount /sys/fs/cgroup/systemd if cgroupns enabled and container without cap_sys_admin
  * volumes: make critical section smaller on creating volume

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 13 Jan 2021 19:22:24 +0300

yandex-porto (5.0.10) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * ci: update pbuilder tarballs
  * ci: use base tarballs with TTL=INF
  * ci: increase memory for test task
  * network: pass ESRCH on getting container sockets
  * test: change the division of tests
  * test: remove empty tests
  * porto: do not remove /run/portod.stat
  * porto: add statistics for time of lock operations
  * network: add extra_routes option for net=L3

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 16 Dec 2020 19:03:52 +0300

yandex-porto (5.0.9) unstable; urgency=low

  [ Dmitry Yakunin ]
  * build: add actual release-porto script

  [ Alexander Kuznetsov ]
  * portoctl: add portoctl enter command, for start shell in container with virt_mode=job
  * tests: enable skipped tests
  * network: fix segfault on updating netstat stats
  * ci: enable testing on xenial-5.4 env test: build porto kernel module only in fuzzer test

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Wed, 09 Dec 2020 17:39:22 +0300

yandex-porto (5.0.8) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: enter cgroup namespace only if EnableCgroupNs=true
  * test: change the division of tests
  * test: split net-sched test into 2 parts
  * test: make tests more stable
  * ci: build porto in pbuilder_build_deb_package sandbox task
  * porto: fix porto stat
  * network: add statistics from /proc/net/netstat
  * test: make 2 attempts on test in test-parts
  * property: add cpu_limit/guarantee_bound

  [ Dmitry Yakunin ]

 -- Dmitry Yakunin <zeil@yandex-team.ru>  Tue, 01 Dec 2020 15:14:43 +0300

yandex-porto (5.0.7) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * portoctl: add option for drop cap_sys_admin for base container in 'portoctl build' task
  * porto: add virt_mode=docker for run docker daemon in porto container

 -- max7255 <max7255@max7255-nix>  Fri, 13 Nov 2020 15:20:24 +0300

yandex-porto (5.0.6) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * container: save and load creation time in kv storage
  * test: split tests into 8 parts
  * test: fix parts test
  * test: restart porto before test
  * test: sleep 1 second after start command and before usage tests
  * property: print salt and md5sum for env_secret
  * test: fix flaky tests
  * logrotate: store more logs
  * test: encode string before hashing

 -- max7255 <max7255@max7255-nix>  Thu, 05 Nov 2020 19:36:03 +0300

yandex-porto (5.0.5) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * ci: fix sandbox task
  * porto: take args in thread factory by values
  * porto: add statistics for fatal signals
  * portod: fix portod dump
  * network: catch drops/Overruns stat from qdisc

 -- max7255 <max7255@max7255-nix>  Wed, 30 Sep 2020 13:35:53 +0300

yandex-porto (5.0.4) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: flag for setting volume auto path as root or cwd in CreateFromSpec
  * porto: add statistics for top time of currently running requests
  * spec: dont link created volume with container by default in CreateFromSpec
  * portotop: fix bug on scrolling
  * man: Add space_limit_mb and slot_space_limit_mb description clarification
  * porto: non strict finding client container when enabled cgroup namespaces
  * porto: add libnl-idiag, pandoc for building
  * log: print quadro/triple at start

 -- max7255 <max7255@max7255-nix>  Wed, 16 Sep 2020 16:49:22 +0300

yandex-porto (5.0.3) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: fix test-os task: fix out of bounds

 -- max7255 <max7255@max7255-nix>  Thu, 27 Aug 2020 14:53:51 +0300

yandex-porto (5.0.2) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * porto: validate cred in TOwnerCred::Load
  * portotop: hide unmarked containers on 'H'
  * api: fix typo in python api
  * cgroup: make perf_event cgroup hierarchy
  * porto: add property command_argv
  * filesystem: hide net_cls and net_prio cgroups in os container with cgroup ns

  [ Maxim Samoylov ]
  * porto: update authors

 -- max7255 <max7255@max7255-nix>  Wed, 26 Aug 2020 18:27:56 +0300

yandex-porto (5.0.1) unstable; urgency=low

  [ wwfq ]
  * volume: use none scheduler for loop backend
  * rpc: change spec proto objects numbers

  [ Alexander Kuznetsov ]
  * cgroup: don't kill negative pids on KillAll
  * cgroup: don't kill zero pids on KillAll
  * task: write more logs when task starting

  [ Maxim Samoylov ]
  * container: add cpu_policy value inheritance
  * container: fix cpu_period property

 -- max7255 <max7255@max7255-nix>  Mon, 10 Aug 2020 14:58:19 +0300

yandex-porto (5.0.0) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * property: fix segfault on TLinkedVolumes::Get
  * net: pass ESRCH error when collect sockets
  * core: fix segfault when process name with spaces cored

  [ Maxim Samoylov ]
  * debian: actualize maintainer

  [ Alexander Kuznetsov ]
  * porto: container spec dump and load properties in protobuf format

  [ wwfq ]
  * spec: separate statistics for spec requests
  * porto: secret environment variables

  [ Alexander Kuznetsov ]
  * filesystem: show full cgroup hierarchy in virt_mode=os container

  [ Maxim Samoylov ]
  * config: drop PROTOBUF_DEPRECATED

 -- max7255 <max7255@max7255-nix>  Wed, 29 Jul 2020 15:39:34 +0300

yandex-porto (5.0.0) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * property: fix segfault on TLinkedVolumes::Get
  * net: pass ESRCH error when collect sockets
  * core: fix segfault when process name with spaces cored

  [ Maxim Samoylov ]
  * debian: actualize maintainer

  [ Alexander Kuznetsov ]
  * porto: container spec dump and load properties in protobuf format

  [ wwfq ]
  * spec: separate statistics for spec requests
  * porto: secret environment variables

  [ Alexander Kuznetsov ]
  * filesystem: show full cgroup hierarchy in virt_mode=os container

  [ Maxim Samoylov ]
  * config: drop PROTOBUF_DEPRECATED

 -- max7255 <max7255@max7255-nix>  Wed, 29 Jul 2020 15:38:05 +0300

yandex-porto (4.18.35) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test: configure portod before tc tests

  [ Dmitry Yakunin ]
  * net: set default net.ipv6.auto_flowlabels in container to 0
  * cgroup: disable netcls subsystem when host net classes are disabled
  * net_cls: ignore process attachment when subsystem is disabled
  * container: remove redundant check

  [ Alexander Kuznetsov ]
  * test: change prev_porto_version in prev_release_upgrade to 4.18.32
  * cgroup: don't kill portod or master threads on KillAll threads: added factory for making threads
  * property: remove backward compatibility, cgroup2 supports on the whole cluster
  * log: don't write logs in STDOUT_FILENO
  * log: print log with milliseconds and request id
  * log: print reqId without label 'id:'

 -- max7255 <max7255@max7255-nix>  Wed, 15 Jul 2020 19:22:44 +0300

yandex-porto (4.18.34) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * network: account child sock stat in parent containers
  * property: fix condition in net property

  [ Maxim Samoylov ]
  * config: set classless config as default

 -- max7255 <max7255@max7255-nix>  Wed, 03 Jun 2020 16:27:21 +0300

yandex-porto (4.18.33) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * ci: fix sandbox task result path
  * network: dont return error ENOENT on opening /proc/pid/status
  * network: fix segfault on UpdateSockStat when raw ptr invalid
  * container: apply ulimits in container tasks only in dynamic, not on reload

  [ Maxim Samoylov ]
  * network: improve SOCK_DIAG stats collection

  [ Alexander Kuznetsov ]
  * volume: fix some bugs with incorrect VolumeMounts value
  * property: fix 'has' method for SockStat test: fix net sched test

  [ Dmitry Monakhov ]
  * ci: add sandbox build config

 -- max7255 <max7255@max7255-nix>  Tue, 02 Jun 2020 19:24:25 +0300

yandex-porto (4.18.32) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * network: dont return error ENOENT on opening /proc/pid/fd
  * core: don't forward core if container in stopping state
  * property: add ability to change cpuset.mems by cpu_set property On this step skip SetMems errors. TODO: think about child containers when set cpuset.mems

  [ Konstantin Khlebnikov ]
  * cgroup: make net_cls optional if enable_host_net_classes=false

 -- max7255 <max7255@max7255-nix>  Fri, 15 May 2020 20:48:04 +0300

yandex-porto (4.18.31) unstable; urgency=low

  [ Roman Anufriev ]
  * test/test-net-sched: increase waiting times again to prevent false timeouts
  * test/test-oom: increase waiting time to prevent false timeout
  * test/selftest: decrease number of containers to prevent tests timeout
  * test/mem-overcommit: check if available RAM is sufficient for running test
  * ci: add yaml file with test parameters

  [ Dmitry Monakhov ]
  * storage: Remove useless arguments on decompression
  * storage: Do not pass compression arguments for old tar

  [ Maxim Samoylov ]
  * test/net-sched: test uplink qdisc limiter locally
  * scripts: apply silencer on test environment scripts

  [ Alexander Kuznetsov ]
  * net: catch bytes/packets stat with netlink for containers by sockets

  [ Dmitry Yakunin ]
  * config: set default rt_priority to 0

  [ Alexander Kuznetsov ]
  * test: change previous porto version in prev_release_upgrade test to 4.18.27
  * cred: resolve uid/gid-names only on changing
  * cgroup: don't kill portod or master on KillAll
  * test:config rt_priority before CheckRt in test-prev_release_upgrade
  * volumes: move servicing of volume requests to dedicated queue
  * config/layers: parameterize path to 'tar' binary Commit 754bb9c238bf010174b61e6a6d7f30a8d1f4c9ca upstream
  * test: add testing of volume queue Commit 1b831bb9e8347e66c04261e12ec6cfde351d08fb upstream

  [ Maxim Samoylov ]
  * debian: add build dependency for libnl-idiag

 -- max7255 <max7255@max7255-nix>  Fri, 08 May 2020 01:00:17 +0300

yandex-porto (4.18.30) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * volume: Unlink nested links, this also kills nested volumes when common link dies Link: https://st.yandex-team.ru/PORTO-644 Signed-off-by: Alexander Kuznetsov wwfq@yandex-team.ru
  * test: remove remaining volumes after volumes_links test

  [ Dmitry Yakunin ]
  * cgroup: fix cgroup2 tasks handling

  [ Alexander Kuznetsov ]
  * cgroup: make AttachAll as threads when pids cross with previous Link: https://st.yandex-team.ru/PORTO-654 Signed-off-by: Alexander Kuznetsov wwfq@yandex-team.ru
  * volumes: store statFs in volume class and update it in additional thread Link: https://st.yandex-team.ru/PORTO-650 Signed-off-by: Alexander Kuznetsov wwfq@yandex-team.ru

 -- max7255 <max7255@max7255-nix>  Tue, 07 Apr 2020 18:46:03 +0300

yandex-porto (4.18.29) unstable; urgency=low

  [ Roman Anufriev ]
  * test/test-net-sched: increase waiting times to prevent false timeouts

  [ Dmitry Yakunin ]
  * cgroup: mount cgroup2 subsystem on kernels >= 4.19

  [ Alexander Kuznetsov ]
  * property: add task_cred and owner_cred
  * volume: Fix volume ownership transfer on daemon reload We should reflect it in kv state

 -- max7255 <max7255@max7255-nix>  Fri, 21 Feb 2020 04:00:58 +0300

yandex-porto (4.18.28) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * test/container: added more tests for usage wildcards in containers hierarchies
  * test: fixed bug with size of the test file
  * rpc/client: fixed memory leak in non-debug mode and compress client buffer after send response Link: https://st.yandex-team.ru/PORTO-585
  * stream: added StdStream read limit
  * stream: truncate output of StdStream, if it extended read limit
  * stream: move stdStream read limit to protobuf config
  * test: add test for std stream limit
  * string: parse string to uint64 without using double if it available

  [ Maxim Samoylov ]
  * container: treat job container without command as invalid config
  * volume: prevent wildcard removal of busy volumes

  [ Alexander Kuznetsov ]
  * string: fixed StringToSize parser and add 1 more test

  [ Dmitry Yakunin ]
  * cgroup: don't use net_cls when host net classes are disabled
  * cgroup: net_cls: write classid only if it differs from previous value

 -- max7255 <max7255@max7255-nix>  Tue, 11 Feb 2020 00:50:22 +0300

yandex-porto (4.18.27) unstable; urgency=low

  [ Alexander Kuznetsov ]
  * net: added recently namespaced sysctls to white list

  [ Maxim Samoylov ]
  * container: fix wildcard place policy checking

  [ Alexander Kuznetsov ]
  * volume: add caching of volume quota file upon porto reload and volume creation Commit 066130964e7db98b993e36c7dae6a1e1bec41ce4 upstream

  [ Dmitry Yakunin ]
  * network: add 'enable_host_classful_qdiscs' option (enabled by default)
  * test: extend net-sched with MTN net_limit test and switching between classful and classless qdiscs

  [ Maxim Samoylov ]
  * container: fix one more place where devices restoring fails on missing pids

  [ Dmitry Yakunin ]
  * net: rework host netns checking
  * net: setup classless qdisc in case of single tx queue too
  * net: add missing fq_codel params to config
  * net: rename enable_host_classful_qdiscs to enable_host_net_classes
  * net: fix build

  [ Alexander Kuznetsov ]
  * container: fix segfault on place='***', added validation that '***' was only at the end of the place

  [ Dmitry Yakunin ]
  * test: net-sched: remove dummy-porto iface and set net.ipv6.conf.all.forwarding=1 before start
  * net: net-sched: change ip prefix len to 128 for iperf client container

  [ Alexander Kuznetsov ]
  * container: fix tests with wildcards Link: https://st.yandex-team.ru/PORTO-627

  [ Roman Anufriev ]
  * container: fix porto crashing if race on start container occured

  [ Maxim Samoylov ]
  * test/fuzzer: show fuzzer thread seeds prior before starting

  [ Roman Anufriev ]
  * test/fuzzers: downgrade warning "Freezer not found" to not trigger fuzzers failures

  [ Maxim Samoylov ]
  * container: validate virt_mode=job cgroup requirement absense earlier
  * test/net-sched: check net_rx_limit behaviour in MTN

 -- max7255 <max7255@max7255-nix>  Wed, 22 Jan 2020 13:35:29 +0300

yandex-porto (4.18.26) unstable; urgency=low

  [ Maxim Samoylov ]
  * container: fix unneccessary container loss on devices restore
  * config: adopt important network settings to stable
  * device: log numerical uid:gid only for chroot device nodes
  * util/path: report chown error with numerical ids only
  * util/unix, util/cred: helper for tainting post-fork issues

  [ Roman Anufriev ]
  * volume: add configurable auxilary default places

  [ Maxim Samoylov ]
  * test/test-mem-recharge: mind specific recharge scenarios
  * config: use no aux places by default for now

 -- max7255 <max7255@max7255-nix>  Tue, 10 Dec 2019 15:31:35 +0300

yandex-porto (4.18.25) unstable; urgency=low

  [ Roman Anufriev ]
  * container: fix error on exit from virt_mode=job container, PORTO-558

  [ Maxim Samoylov ]
  * volume: omit duplicate layers in overlay

 -- max7255 <max7255@max7255-nix>  Wed, 25 Sep 2019 00:45:50 +0300

yandex-porto (4.18.24) unstable; urgency=low

  [ Maxim Samoylov ]
  * log: account start fails for respawn case too
  * property: report porto daemon cpu usage stats
  * container: do not reset "static" taints on start
  * property: sanitize capabilities when changing virt_mode
  * container: silently drop SYS_BOOT on capability sanitize step
  * test/security: test for SYS_BOOT deprecation
  * cgroup: force daemon cgroups recreation on start

 -- max7255 <max7255@max7255-nix>  Thu, 22 Aug 2019 16:11:41 +0300

yandex-porto (4.18.23) unstable; urgency=low

  [ Dmitry Yakunin ]
  * git: update gitignore
  * task: attach to intermediate processes with ptrace, PORTO-500
  * test: Add test for ptrace attack, PORTO-500

  [ Konstantin Khlebnikov ]
  * cgroup: add bfq weight
  * cgroup: cleanup blkio cfq/bfq cgroup weight setup
  * porto: fix crash in TContainer::DistributeCpus on cpu overcommit
  * network: setup 8 tx queues for ipip6 tunnels

  [ Maxim Samoylov ]
  * volume: serialize link mount operations

  [ Dmitry Monakhov ]
  * storage: add zstd compression support

  [ Maxim Samoylov ]
  * test/fuzzer: cgroupv2 unified workaround
  * task: revert to old policy with starting on reload

  [ Roman Anufriev ]
  * util/path: prevent log truncation when 'stdout_limit' is lower than 'st_blksize', PORTO-569
  * property: reset devices when empty knob is given, PORTO-520
  * restore: update cgroups and device nodes on container restore, PORTO-562

  [ Konstantin Khlebnikov ]
  * porto: use prctl PR_TRANSLATE_PID if available
  * porto: protect daemon clones from ptrace and proc access in containers

  [ Maxim Samoylov ]
  * cred: drop CAP_SYS_BOOT from non-host containers cap set
  * test: fix os/app capabilities expectations

 -- max7255 <max7255@max7255-nix>  Thu, 25 Jul 2019 18:29:35 +0300

yandex-porto (4.18.22) unstable; urgency=low

  [ Roman Anufriev ]
  * property: add 'FailInvalidNetaddr' property/'fail_invalid_netaddr' protobuf field for accounting 'InvalidNetworkAddress' error, PORTO-491

  [ Maxim Samoylov ]
  * container: do not touch device nodes in shared chroot, PORTO-545

 -- max7255 <max7255@max7255-nix>  Wed, 05 Jun 2019 15:42:29 +0300

yandex-porto (4.18.21) unstable; urgency=low

  [ Maxim Samoylov ]
  * network: do not manage vlans, clean left qdiscs, PORTO-519

 -- max7255 <max7255@max7255-nix>  Wed, 10 Apr 2019 12:58:19 +0300

yandex-porto (4.18.20) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: do not report error error into socket if cannot exec portoinit
  * porto: validate deserialized error code
  * quota: reset counters at reusing stale project id

  [ Maxim Samoylov ]
  * test/fuzzer: avoid triggering PORTO-488 for now
  * test: add io-stat

  [ Konstantin Khlebnikov ]
  * test: add net-sched
  * test/net-sched: print second flow

  [ Maxim Samoylov ]
  * test: disable io-stat invocation in stable branch
  * test/net-sched: test both schedulers, fix htb limiting, improve assertions
  * test/fuzzer: inject D-state threads into containers
  * test/test-oom: mind that testing system can generate its own OOMs
  * test/portotest: more elaborate portod fd inspecting
  * test/test-mem_limit: treat mlock EAGAIN as OOM
  * test/fuzzer: use portod core subsystem
  * network: ensure container parent tclass exists on dynamic application, PORTO-478
  * container: leave container dead when unable to dispose cgroups, PORTO-485
  * test/test-htb-restore: add test for htb restore fix, PORTO-478

 -- max7255 <max7255@max7255-nix>  Tue, 29 Jan 2019 23:33:43 +0300

yandex-porto (4.18.19) unstable; urgency=low

  * volume: ignore missing write access for user layers and storages
  * api/cpp: reconnect until timeout in WaitContainer

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Sun, 09 Dec 2018 22:05:01 +0300

yandex-porto (4.18.18) unstable; urgency=low

  * network: enable qdisc for vlan and ipv6 tunnels

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 05 Dec 2018 15:35:11 +0300

yandex-porto (4.18.17) unstable; urgency=low

  * porto: add NSEC_PER_SEC
  * memory: disable default anon_limit for now
  * netlink: add support for codel qdisc
  * netlink: setup htb classes directly
  * network: tune tc defaults
  * test/tc-classes: remove broken test cases
  * network: add option for forcing management over host device

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 28 Nov 2018 12:17:28 +0300

yandex-porto (4.18.16) unstable; urgency=low

  * core: log portod core arguments
  * network: sync statistics every second
  * porto: rephrase cpu_set documentation

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 22 Nov 2018 10:45:44 +0300

yandex-porto (4.18.15) unstable; urgency=low

  * test/oom: check oom event after restore
  * porto: restore oom monitor

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 19 Nov 2018 11:12:28 +0300

yandex-porto (4.18.14) unstable; urgency=low

  * porto: set isolate=false for virt_mode=host|job at restore
  * test: check virt_mode=host restore
  * debian: rewrite sysv init script
  * network: set host/fallback tc class rate to 10Mbit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 15 Nov 2018 16:56:04 +0300

yandex-porto (4.18.13) unstable; urgency=low

  * porto: fix oom detection for containers without own memory cgroup

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 14 Nov 2018 09:47:21 +0300

yandex-porto (4.18.12) unstable; urgency=low

  * porto: fix cgroup removal on error path of virt_mode=job

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 07 Nov 2018 13:13:51 +0300

yandex-porto (4.18.11) unstable; urgency=low

  * porto: handle place="///path" as path in client container
  * test/place: check place_usage and place_limit
  * volumes: fix leak in place_usage accounting

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 01 Nov 2018 15:30:24 +0300

yandex-porto (4.18.10) unstable; urgency=low

  * test/wait: check nonblock and timeout
  * porto: fix race and deadlock at wait timeout

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 26 Oct 2018 21:03:44 +0300

yandex-porto (4.18.9) unstable; urgency=low

  * test: add legacy-root-loop
  * porto: fix legacy root loop

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 10 Oct 2018 19:53:12 +0300

yandex-porto (4.18.8) unstable; urgency=low

  * cgroup: use porto systemd service cgroup for containers without systemd
  * test: check systemd upgrade

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 05 Oct 2018 10:38:16 +0300

yandex-porto (4.18.7) unstable; urgency=low

  * network: check hfsc default class
  * network: do not setup class for net=none

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Sun, 30 Sep 2018 13:23:37 +0300

yandex-porto (4.18.6) unstable; urgency=low

  * volume: protect links under construction
  * porto: cleanup legacy hfsc setup from containers
  * api/cpp: handle timeout -1 as infinite

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 28 Sep 2018 16:47:43 +0300

yandex-porto (4.18.5) unstable; urgency=low

  * test: fix mem_limit_total
  * test: fix default memory_limit check
  * porto: deprecate cpu_weight effect on rt priority
  * portoctl get: keep values single-line if stdout is not tty
  * api/python: pass strict into UnlinkVolume as named argument
  * portoctl: fix command storage -F
  * test/fuzzer: detach loop devices
  * portoctl/build: move resolv_conf to chroot level
  * log: tiny fix

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 26 Sep 2018 18:01:06 +0300

yandex-porto (4.18.4) unstable; urgency=low

  * porto: add config option for default environment
  * volume: allow non-existing user and group as directory owners
  * porto: disable default top-level memory_limit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 13 Sep 2018 16:12:13 +0300

yandex-porto (4.18.3) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * test/fuzzer: check volume limits

  [ Michael Samoglyadov ]
  * per-hour portod.log rotation fixed

  [ Konstantin Khlebnikov ]
  * porto: silence log messages about not accepted client connections
  * api/python: limit (re)connection rate with 2 per second
  * api/python: close socket at fatal exceptions
  * api/python: add method connected()
  * api/python: add Call
  * network: count problems and repairs
  * network: recreate missing default clases
  * test/upgrade: check network problems
  * volume: fix locking round guarantee
  * volume: deprecate layers over tmpfs

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 12 Sep 2018 15:46:24 +0300

yandex-porto (4.18.2) unstable; urgency=low

  * network: fix L3 migration/sharing

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 04 Sep 2018 09:45:25 +0300

yandex-porto (4.18.1) unstable; urgency=low

  * api/cpp: add extra timeout for disk related operations
  * cgroup: increase interval between kills
  * volume: keep loop image read-only for user
  * volume: handle cow layer in persistent storage
  * volume: keep project quota id at inodes
  * portod: forbid connections from portod freezer cgroup

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 28 Aug 2018 18:03:09 +0300

yandex-porto (4.18.0) unstable; urgency=low

  * container: store resolv_conf as single string
  * container: store env as single string
  * env: track overwritten variables
  * ulimit: track overwrite
  * container: keep separate ip policy string
  * labels: merge labels at setting whole map
  * volume: rework locking around place space accounting
  * rpc: shuffle protobuf for better readability
  * network: fix ip_limit for ip networks
  * network: setup bunch of ndp proxies for L3 ip with prefix
  * network: fix namespace inheritance over isolate=false parent
  * test: net
  * porto: fix crash in combined get
  * porto: add codes for socket errors
  * api/cpp: refactor raw call interface
  * portoctl: set default timeout to 5 minutes
  * portoctl: set stdout line-buffered

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 21 Aug 2018 07:38:47 +0300

yandex-porto (4.17.0) unstable; urgency=low

  * labels: inc starts missing label from 0
  * coredump: count cores in labels
  * core: forward cores into core_command with any dumpable in chroot
  * test: check coredump
  * porto: add change time
  * porto: send exit_code ad start_error in wait response
  * test/oom: fix race
  * porto: warn about unexpected locked containers
  * porto: attach should keep write lock on source container
  * porto: sanitize locking around recursive start
  * porto: rework time properties
  * volume: keep build time as timestamp
  * portoctl build: add cleanup scripts for running after os stop
  * porto: report start_error at respawn
  * network: fix l3_migration_hack
  * portoinit: ignore SIGCHLD without target pid
  * porto: add virt_mode=job
  * hugetlb: handle limit in the same way as other limits
  * volume: allow creation with stopped target container

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 17 Aug 2018 09:36:13 +0300

yandex-porto (4.16.5) unstable; urgency=low

  * porto: consider current hugetlb size when checking guarantee
  * devices: add optional devices, handle all extra devices as optional
  * portoctl: exit from shell and exec after ^X^X
  * network: count created namespaces
  * volume: fix guarantee accounting
  * volume: rework locking aroung tuning operation

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 27 Jul 2018 16:25:47 +0300

yandex-porto (4.16.4) unstable; urgency=low

  * volume: tiny fix

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 25 Jul 2018 15:13:16 +0300

yandex-porto (4.16.3) unstable; urgency=low

  * porto: drop duplicate volume links

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 25 Jul 2018 12:45:54 +0300

yandex-porto (4.16.2) unstable; urgency=low

  * porto: drop duplicate volume link target

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 25 Jul 2018 12:20:08 +0300

yandex-porto (4.16.1) unstable; urgency=low

  * portoctl/storage: fix list for custom place
  * porto: replace container id at restore

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 25 Jul 2018 10:29:43 +0300

yandex-porto (4.16.0) unstable; urgency=low

  * volume: tiny fix
  * network: add config options for MTU to L3 ipv4/ipv6 default gateway
  * porto: tiny fix
  * porto: add aliases for place paths

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 23 Jul 2018 18:12:52 +0300

yandex-porto (4.15.0) unstable; urgency=low

  * test: check downgrade to 4.12.21
  * container: add property root_path
  * portoctl: fix raw command
  * rpc: clear respose in case of error
  * porto: fix TClient::WriteAccess
  * util/cred: add Enter/Leave
  * util/cred: add protobuf structure
  * util/path: add Open/CreateDirAllAt
  * util/quota: add Toggle
  * util/path: add OpenAtMount
  * rpc: volume spec
  * volume: commands NewVolume and GetVolume
  * volume: handle customization
  * api/python: add nr_connects
  * api/python: add NewVolume and GetVolume
  * volume: add property device_name
  * container: disable cpu_guarantee for stopping container
  * porto: add config proto into package
  * porto: limit size of all private values with 4096 bytes
  * porto: clear failed response only for non-initialized messages
  * api/python: fix python3
  * container: add user-defined labels
  * network: set leaf qdisc limit to 10240 packets

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 20 Jul 2018 16:56:43 +0300

yandex-porto (4.14.0) unstable; urgency=low

  * porto: count and describe memory guarantee overcommits
  * porto: make oom_kills hierarchical and persistent
  * container: skip unsupported properties at restore
  * Revert "porto: make oom_kills hierarchical and persistent"
  * property: add persistent and hierarchical oom_kills_total
  * contaner: save and restore context in Save()
  * test: check oom
  * porto: collect oom kills lazily
  * volume: fix possible deadlock at parallel destruction

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 12 Jul 2018 15:08:39 +0300

yandex-porto (4.13.12) unstable; urgency=low

  * test/fuzzer: check test end after each socket timeout
  * porto: enter also mnt/net ns in TranslatePid
  * filesystem: fix races during construction
  * volume: validate links consistency

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 06 Jul 2018 11:05:33 +0300

yandex-porto (4.13.11) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * path/walk: handle dir to non-dir replacement
  * test: locate now always returns self if task in same container
  * porto: fix logging merge flag when importing layers

  [ Andy Yankovsky ]
  * Fix argument order

  [ Gennady Lipenkov ]
  * Fix typo

  [ Konstantin Khlebnikov ]
  * porto: fix legacy memory.recharge_on_pgfault
  * porto: write stacktrace when portod-core crashses
  * porto: add workaround for bug in upstart
  * porto: set default ulimit memlock to max(mem_limit - 16M, 8M)
  * test: check ulimit
  * porto: open /dev/null for upstart workaround
  * network: consider default gateway for L3 only within same L2 domain
  * porto: ignore /etc/default/portod.conf if /etc/portod.conf exists

  [ Andy Yankovsky ]
  * Fix typo and code blocks indent

  [ Konstantin Khlebnikov ]
  * portod: dump ulimit and reset stack ulimit
  * porto: remove default place restrictions for containers with chroot
  * path: silence recursive remount
  * helper: set process name
  * container: keep root path always in sync
  * volume: remove owner container migration hack
  * volume: mount link target for stopped containers
  * porto: set default memory_limit for first level containers
  * porto: add devices presets
  * portoctl: run helper portoctl-cmd for non builtin commands
  * portoctl: first run helpers from /usr/lib/porto
  * portoctl: split top into portoctl-top
  * porto: move portoinit into /usr/lib/porto
  * porto: remove deprecated conffiles
  * coredump: inherit core_command from parent container
  * portoctl: rewrite command sort
  * portoctl: fix sort
  * portoctl: fix compilation for precise
  * portoctl: fix HumanValue
  * portoctl: add bash-completion for property[keys]
  * path: delete copy constructor for TFile
  * path: refactor strict path resolving and creation
  * porto: dump container locks if shutdown is stuck
  * porto: add porto freeze/unfreeze
  * volume: link and mount volumes using proper transaction sequence
  * volume: keep volume link index in sync and verify at restore

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 03 Jul 2018 13:35:20 +0300

yandex-porto (4.13.10) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * test: ignore default anon_limit

  [ Andy Yankovsky ]
  * Fix typos

  [ Konstantin Khlebnikov ]
  * porto: fix warnings
  * porto: allow absolute container names as result of LocateProcess
  * porto: handle aufs whiteout for dangling symlinks
  * porto: fix conversion aufs opaque directories
  * test: aufs import

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 29 May 2018 18:31:35 +0300

yandex-porto (4.13.9) unstable; urgency=low

  * device: allow write access to related sysfs nodes
  * porto: open tty streams for read-write
  * porto: fix aufs to overlayfs conversion
  * porto: reopen unlinked log file
  * porto: reload if socket was unlinked
  * porto: setup default anon_limit to memory_limit - 16Mb

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 23 May 2018 20:30:34 +0300

yandex-porto (4.13.8) unstable; urgency=low

  * debian: /etc/porto.conf.d -> /etc/portod.conf.d
  * Revert "porto: set in environment container=porto"

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 11 May 2018 17:25:42 +0300

yandex-porto (4.13.7) unstable; urgency=low

  * porto: fix compilation for ubuntu bionic
  * volume: release owner container lock before build
  * property: add capabilities_allowed and capabilities_ambient_allowed
  * property: add anon_only
  * property: add virtual_memory
  * property: add etc_hosts
  * network: add ECN
  * porto: create group porto in postinst
  * helper: report errors
  * portoctl/get: convert some properties

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 11 May 2018 15:05:54 +0300

yandex-porto (4.13.6) unstable; urgency=low

  * porto: use parallel gz/xz for packing tarballs
  * volume: add backend=hugetmpfs

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Sat, 28 Apr 2018 11:35:18 +0300

yandex-porto (4.13.5) unstable; urgency=low

  * core: set ambient capabilities before starting container

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 26 Apr 2018 19:22:17 +0300

yandex-porto (4.13.4) unstable; urgency=low

  * layers: fix makedev in ubuntu xenial
  * layers: add ^$ into apt-get regex
  * filesystem: protect sysfs only if container have no chroot at all
  * filesystem: reconstruct /run for virt_mode=os without chroot
  * filesystem: setup systemd cgroup for os containers without chroot
  * test: add test for virt_mode=os without chroot
  * porto: document side effects of virt_mode=os

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 26 Apr 2018 13:08:59 +0300

yandex-porto (4.13.3) unstable; urgency=low

  * network: split SetupClass
  * network: add limit for classes in BPS and percent
  * network: handle container net_limit == 1 BPS as blackhole
  * test: check blackhole in tc-classes
  * network: sync device speed
  * network: fix locking

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 23 Apr 2018 15:48:53 +0300

yandex-porto (4.13.2) unstable; urgency=low

  * network: init/reinit netclass fold
  * network: setup leaf qdisc in rate-limited net-ns
  * network: use fq_codel for all leaf qdiscs

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 20 Apr 2018 14:33:22 +0300

yandex-porto (4.13.1) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: set in environment container=porto
  * config: warn about partial config parsing
  * network: add default_tos into config
  * network: propagate fake tc statistics into parent containers
  * rpc: add AttachThread

  [ Nikita Vetoshkin ]
  * fix upstart job description

  [ Konstantin Khlebnikov ]
  * log: do not warn about full or broken filesystem
  * network: add config option for disabling netcls priority
  * network: remove qdisc from vlan devices
  * test: add tc-classes

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 19 Apr 2018 19:45:25 +0300

yandex-porto (4.13.0) unstable; urgency=low

  * porto: refactor configs
  * debian: add etc/porto.conf.d
  * test/tc-rebuild: get network interfaces from sysfs
  * test: remove legacy networking test
  * network: add DSCP traffic classes
  * network: destroy and recreat qdisc at repair
  * porto: max container id is 4095

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 18 Apr 2018 17:47:48 +0300

yandex-porto (4.12.7) unstable; urgency=low

  * devices: check permission only at configuration time
  * memory: add property anon_max_usage
  * portoctl/build: check and report oom kills
  * portoctl/build: save directories in /run
  * layers: iproute -> iproute2|iproute

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 11 Apr 2018 14:35:43 +0300

yandex-porto (4.12.6) unstable; urgency=low

  * porto: do not close control pipes twice

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 06 Apr 2018 19:09:01 +0300

yandex-porto (4.12.5) unstable; urgency=low

  * container: at restore stop containers that should be stopped
  * filesystem: fix bind mount default propagation and hack for recursive bind

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 06 Apr 2018 16:16:47 +0300

yandex-porto (4.12.4) unstable; urgency=low

  * porto: remove legacy protobuf helpers
  * porto: add separate locks for protecting containers state
  * porto: split rpc threads into three pools: RW/RO/IO
  * volume: just log if fs below loop image does not support O_DIRECT
  * property: add missing return OK
  * volume: at destroy umount all nested submounts
  * volume: target path should not overlap bind mount storage
  * container: do not apply dynamic properties to dead container
  * container: save state=stopping before removing cgroups
  * porto: update fd estimation after reworking thread pools
  * porto: deprecate default_bind_dns in portod.conf
  * test: bump previous release to 4.11.5
  * container: split preparation runtime resources
  * container: rework respawning state machine

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 05 Apr 2018 17:29:18 +0300

yandex-porto (4.12.3) unstable; urgency=low

  * filesystem: handle races during recursive remount
  * filesystem: resolve bind mount target inside chroot
  * portoctl: lesser path conversion in volume commands
  * volume: verify volume link real path
  * path: cleanup statfs flags
  * contianer: add taint about insecure bind mounts
  * filesystem: in chroot allow suid binaries only on root volume
  * porto: add counters for taints

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 02 Apr 2018 09:51:16 +0300

yandex-porto (4.12.2) unstable; urgency=low

  * porto: add async wait
  * portoctl: add async wait
  * python: add async wait
  * test: add test for async wait
  * python/api: get version also from PKG-INFO
  * python/api: recompile rpc.proto at setup

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 28 Mar 2018 20:10:19 +0300

yandex-porto (4.12.1) unstable; urgency=low

  * filesystem: mount binds after rootfs setup

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 28 Mar 2018 11:21:06 +0300

yandex-porto (4.12.0) unstable; urgency=low

  * test: plug warnings in legacy tests
  * portoctl: handle any virt_mode
  * container: add virt_mode=host
  * api/python: make python3 compatible
  * debian: add package python3-portopy
  * python/api: use setuptools_scm
  * test: disable python bytecode cache
  * Revert "python/api: use setuptools_scm"
  * python/api: get version from debian changelog
  * debian/control: add python3-setuptools

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 27 Mar 2018 21:19:36 +0300

yandex-porto (4.11.5) unstable; urgency=low

  * porto: emulation for deprecated root on loop devices

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 23 Mar 2018 20:25:54 +0300

yandex-porto (4.11.4) unstable; urgency=low

  * test: wait for portod reload
  * porto: temporary hack for making some binds recursive by default

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 23 Mar 2018 15:34:59 +0300

yandex-porto (4.11.3) unstable; urgency=low

  * debian: start after upstart event static-network-up
  * network: log device mtu

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 22 Mar 2018 16:07:53 +0300

yandex-porto (4.11.2) unstable; urgency=low

  * cgroup: pin cgroup mounts

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 22 Mar 2018 09:56:39 +0300

yandex-porto (4.11.1) unstable; urgency=low

  * devices: at restore check only type and major:minor
  * volume: ignore missing linked containers

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 21 Mar 2018 21:41:01 +0300

yandex-porto (4.11.0) unstable; urgency=low

  * test: add ct-state
  * network: init and log device speed right at discovery
  * portoctl top: add backbone and fastbone
  * debian: remove kludges from upstart job
  * debian: do not start systemd service in container
  * storage: list layers for place without sub-directory porto_storage
  * python/api: add WaitContainerTimeout exception and wait argument into Run
  * test: use run with wait
  * devices: hide warning if devices are not permitted
  * porto: add counters for lost log lines and bytes
  * porto: fail if cannot open log file

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 20 Mar 2018 12:59:42 +0300

yandex-porto (4.10.9) unstable; urgency=low

  * devices: do not log error if requested device doesn't exist
  * porto: fix crash at invalid command

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 16 Mar 2018 17:46:07 +0300

yandex-porto (4.10.8) unstable; urgency=low

  * volume: restore state for destroying when linked containers are missing
  * test/devices: check restore nested cgroup
  * devices: do not reset first level cgroup at restore
  * porto: document removed capabilities

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 15 Mar 2018 17:07:12 +0300

yandex-porto (4.10.7) unstable; urgency=low

  * python/api: remove GetProperty from Storage and MetaStorage
  * python/api: refactor timeout engine
  * python/api: handle negative timeout as infinite
  * python/api: add class to describe properties
  * porto: create dynamic devices and symlinks in correct namespace
  * porto: enable devices controller for containers with chroot
  * python/api: fix wait timeout less than 1 second
  * porto: do not hang at logging stacktrace

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 14 Mar 2018 16:50:49 +0300

yandex-porto (4.10.6) unstable; urgency=low

  * python/api: add volume property alias "private_value" for "private"
  * python/api: add alias ListStorage for ListStorages
  * porto: report read-only properties for deprecated dataList request

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 13 Mar 2018 12:41:19 +0300

yandex-porto (4.10.5) unstable; urgency=low

  * volume: wildcard unlink should fail if volume has no links with container
  * python api: add meta storages
  * container: apply device permissions at start
  * test: add test for devices

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 13 Mar 2018 11:35:18 +0300

yandex-porto (4.10.4) unstable; urgency=low

  * porto: update documentaion about device permissions
  * network: log L3 devices configuration
  * container: restore start_time for meta containers at upgrade
  * path: use fts_open without stat if possible
  * portoctl build: prevent ssh reconfiguration when building second layer
  * storage: handle weak layers and storages in meta-storage
  * porto: update documentation
  * network: reconnect netlink socket

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 12 Mar 2018 10:01:25 +0300

yandex-porto (4.10.3) unstable; urgency=low

  * container: dynamic symlink update

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 06 Mar 2018 11:22:08 +0300

yandex-porto (4.10.2) unstable; urgency=low

  * container: add property taint
  * porto: start upstart service after networking configuration

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 05 Mar 2018 15:25:51 +0300

yandex-porto (4.10.1) unstable; urgency=low

  * api/python: add argument root_volume to Run
  * cgroup: fix permissions for systemd cgroup in container
  * portoctl build: allow devices in root when building in host
  * layers: refactor hacks
  * layers: add hack for precise

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 02 Mar 2018 20:08:08 +0300

yandex-porto (4.10.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * network: create fake netns for restoring almost-dead containers
  * volume: check if new volume depends on itself
  * volume: simply remove not-ready volumes at restore
  * test: also call fuzzer without kills
  * log: print main argument in response line too
  * volume: do not save volume state during destruction
  * volume: at restore check volume links after state
  * container: regroup starting sequence
  * container: refactror preparation of task namespaces
  * cgroup: revert renaming from remove
  * container: cleanup devices cgroup initialization
  * volume: fix race between link and unlink-destroy
  * fuzzer: add new operations
  * container: in dead state resources are still active
  * filesystem: move cration of root bindmount out of pivotroot
  * volume: refactor mount flags operations
  * proto: make error codes future-compatible
  * filesystem: fix root mountpoint check
  * filesystem: protect pstore, securityfs and porto kv
  * volume: add read-only attribute to link
  * volume: umount links at forced unlink
  * python: create exceptions for all errors
  * python: update api
  * volume: fix target umount at container stop
  * test: add test for mount layout
  * python: add aliases for legacy exception names
  * fuzzer: catch InvalidCommand
  * volume: ignore error at umounting not mounted target path
  * volume: include target root path into volume path verification
  * volume: add backend=rbind
  * volume: add backend=dir
  * volume: mount link rbind and dir recursively
  * python: more portable error enumeration
  * test: /dev/shm might be symlink in host
  * volume: fix forced unlink
  * volume: fix race between container destroy and forced unlink
  * volume: check conflicts for link target path
  * volume: remove warning at unlinking not-mounted link target
  * fuzzer: detect and handle stale mounts
  * python: rename base exception into PortoException
  * fuzzer: catch all porto exceptions
  * portoctl: in vlist show link targets one per line
  * volume: bind and rbind could share storage
  * test: test sub-mounts for bind/rbind
  * volume: protect volume links from conflicts
  * volume: restore link target path in host at reload
  * volume: undo link mount at failed container start
  * test: merge fuzzer into one file
  * volume: reset host link if volume not ready for it
  * volume: refactor target mounts once again
  * fuzzer: merge all volume link/unlnk operations
  * volume: rework dependecies and path resolution
  * porto: move dependencise into top cmake file
  * volume: check link read-only status
  * portoctl: print id, backend and links in vlist
  * volume: count and restore common link
  * volume: fix warning if forced unlink races with normal unlink
  * volume: fix check for dependency on itself
  * volume: umount nested volume links
  * volume: start new shared group for mounted links
  * porto: remove legacy loop devices
  * container: add stopping state
  * volume: fix resolving link by nested path
  * volume: only common link pinned by all other links
  * volume: make temporary link private before umount
  * volume: ignore conflicts for storage of bind and rbind
  * util/path: add CreatePath
  * volume: mount links in two phases
  * volume: fix backends dir and quota
  * volume: log link/unlink actions
  * volume: move destroy out of unlink
  * volume: destroy volumes nested inside unmounted links
  * volume: check required_volumes as links inside
  * volume: check permissions for link parent directory
  * portod: container stop needs client context
  * volume: fix crash at umounting nested links
  * volumes: move DestroyUnlinked out of ContainersLock
  * volume: make required volume paths sticty
  * porto: enable forward propagation for container bind mounts
  * volume: by default vunlink unlinks all targets
  * test: binds by default read-write

  [ Stanislaw Datskevich ]
  * Fix building against GCC 7.3.0 on ubuntu 18.04

  [ Konstantin Khlebnikov ]
  * porto: allow devices at bindmount for root user
  * volume: add counter for lost volumes
  * porto: keep statistics in /run/portod.stat
  * helpers: drop CAP_SYS_RESOURCE
  * volume: add meta storage with space limit
  * test: now porto keeps counters after crash
  * container: add property symlink
  * porto: add documentation about meta-storages
  * volume: ext4 online resize needs CAP_SYS_RESOURCE
  * volume: lvresize needs CAP_SYS_RESOURCE too
  * volume: add counters for layer operations

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 01 Mar 2018 13:24:02 +0300

yandex-porto (4.9.1) unstable; urgency=low

  * volumes: fix races around owner container
  * fuzzer: refactor
  * porto: add network_count into system status
  * porto: logrotate should send signal to both daemons

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 14 Feb 2018 16:35:47 +0300

yandex-porto (4.9.0) unstable; urgency=low

  * container: stop now could be called with locked parent container
  * container: cleanup respawning
  * volume: save volume state before building
  * test: ignore max_respawns changes
  * test: respawn_count is a property now
  * test: fix default max_respawns
  * property: cleanup
  * volume: empty path should not be resolved into any volume
  * volume: fix some races
  * property: manage controllers in container
  * property: cleanup
  * property: merge container "data" into properties
  * property: rename data contants
  * proprty: add cpu_throttled
  * test: fix
  * network: add network namespaces counter

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 13 Feb 2018 19:11:18 +0300

yandex-porto (4.8.0) unstable; urgency=low

  * core: add CAP_SYS_PTRACE into ambient capabilities
  * cleanup: VirtMode == VIRT_MODE_OS -> OsMode
  * network: keep resolv_conf splitted into lines
  * ulimit: refactor structure
  * tests: fix ulimit
  * devices: always allow mknod for devices #PORTO-346
  * lvm: validate names #PORTO-347
  * network: disable embedded iproute by default #PORTO-348
  * volume: read-only should deny writes access
  * porto: rename some methods
  * devices: refactor structure
  * device: merge lists only by paths inside
  * container: expose id and level
  * volume: expose id
  * porto: make bind-mounts back non-recursive by default
  * porto: mount bind-mounts before populating rootfs
  * porto: use read-only bind mount for tracefs instead of new read-only mount
  * filesystem: cleanup bind mount operation
  * filesystem: disable proparation for bind-mounts
  * filesystem: enable next level proparation only from lower level mounts
  * porto: target path for volume links
  * rpc: use same structure for new volume link request
  * porto: fix compilation for ancient libstdc++
  * volume: use bind mount helper for mounting targets
  * portod: set timeout for start and stop to 300 seconds
  * container: stop with zero timeout should just kill top level init
  * container: at stop destroy all containers under single exclusive lock
  * portod: cleanup respawn sequences
  * portod: synchronize server update with client requests
  * portod: cleanup logging
  * portod: cleanup /run at stop
  * portod: detect if master is gone after reload
  * test: use bultin commands for upgrade
  * Revert "filesystem: enable next level proparation only from lower level mounts"
  * filesystem: fix permissions for created mountpoint targets

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 09 Feb 2018 19:49:16 +0300

yandex-porto (4.7.2) unstable; urgency=low

  * porto: cleanup GetSystem/SetSystem calls
  * portotop: add more counters for errors
  * porto: synchronize default resolv_conf with host

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 30 Jan 2018 19:48:47 +0300

yandex-porto (4.7.1) unstable; urgency=low

  * core: log state of ulimit and dumpable when refuse to dump
  * core: log actions with keyword "CORE"
  * Revert "porto: load and start saved containers atomatically"
  * Revert "portoctl: add save and load"
  * cgroup: do not include cgroup itself into list of childs
  * container: add GetThreadCount and GetProcessCount
  * porto: add property "memory_reclaimed"

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 29 Jan 2018 15:05:14 +0300

yandex-porto (4.7.0) unstable; urgency=low

  * portoctl build: add second bootstrap script
  * layers: remove debian and ubuntu-xenial-upstart add ubuntu-bionic
  * porto.md: list kernel features
  * porto: remove pre-start kludge
  * cgroup: remove kludge for 3.14
  * cgroup: do not mount disabled cgroups
  * cgroup: fix mounting cgroup for systemd
  * error: limit description with 64k
  * network: add optional ceil for default traffic class

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 25 Jan 2018 16:41:37 +0300

yandex-porto (4.6.0) unstable; urgency=low

  * container: update own cpu_limit_total when changing cpu_limit
  * porto: set backlog limit to max_clients
  * porto: in rpc proto wait timeout in ms
  * porto: fix Container.Wait in python api
  * log: print command name in response line
  * cgroup: walk sub-cgroups using TPathWalk
  * fuzzer: use smaller tmpfs
  * porto.md: add note abount replacing bind-mounts with volume backend=bind
  * error: use format for error extension
  * porto: supress error from non-fatal fails of helper calls
  * path: handle ENOENT in TPathWalk.Next()
  * container: use CT{Id}:{Name} for log and errors
  * client: log clients as CL{Fd}:{Comm}({Pid}) CT{Id}:{Name}
  * porto: add interface for getting/changing system properties
  * porto: add counters for common error codes

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 22 Jan 2018 17:37:12 +0300

yandex-porto (4.5.0) unstable; urgency=low

  [ Maxim Samoylov ]
  * api/python: add missing required field in ReExportLayer

  [ Konstantin Khlebnikov ]
  * porto: no exceptions
  * porto: detect unknown fields in protobuf rpc message

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 16 Jan 2018 11:59:38 +0300

yandex-porto (4.4.1) unstable; urgency=low

  * fuzzer: mark all created objects with private=porto-fuzzer
  * container: keep in sync states and counter of running childs
  * network: do not delete default network class and qdisc
  * porto: add more hints about porto namespaces
  * portoctl shell: forward tty if stdin is tty
  * fuzzer: fix cleanup
  * porto: always chdir back to root
  * error: fix errno to mesage conversion
  * container: map execve error EAGAIN as ResourceNotAvailable
  * path: normalize paths in DirName and BaseName
  * container: simplify resolv_conf configuration
  * volume: add build_time
  * fuzzer: simplify log grepping
  * fuzzer: filter containers by prefix
  * test: base version is 4.3.2
  * test: ingnore resolv_conf changes
  * property: add oom_kills
  * test: silence fuzzer progress

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 25 Dec 2017 12:31:47 +0300

yandex-porto (4.4.0) unstable; urgency=low

  * tests: move sudo inside
  * tests: add target porto_test
  * tests: cleanup
  * tests: really cleanup logs
  * layers: fix pip
  * layers: remove atop
  * cpu: keep power in ns/s and disable unneeded nested limits
  * tests: default cpu_limit is 0c
  * porto: memory accounting model
  * volume: add property target_container
  * porto: allow dynamic configuration device permissions
  * path: add TPathWalk
  * error: cleanup
  * test: fix
  * error: remove unsed templates
  * test: fix
  * layers: save data checksums and unpacked size into xattrs
  * core: chmod pipe to 0666 to let open it again

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 18 Dec 2017 17:56:22 +0300

yandex-porto (4.3.2) unstable; urgency=low

  * porto: env format is key=val;...
  * core: add option for sync size and increase up to 4Mb
  * core: update documentation
  * core: get also real uid:gid and executable file name
  * core: note core dump in logged exit status
  * container: fix races in PrepareWorkDir and RemoveWorkDir
  * logging: add prefixes CG, NL, NET
  * core: get cgroup from crashed thread
  * core: replace process name with exe file name in new format

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 01 Dec 2017 15:44:18 +0300

yandex-porto (4.3.1) unstable; urgency=low

  * volume: fix racy project quota enabling and checking
  * network: add option network.l3_default_mtu

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 27 Nov 2017 14:16:15 +0300

yandex-porto (4.3.0) unstable; urgency=low

  * porto: fail start if capabilities are out of bounds
  * property: update dynamic/ro in descriptions
  * portoctl: more human readable output for get
  * core: log more errors
  * porto: remove CAP_NET_ADMIN in chroot if ip_limit is set
  * coredump: use prefix even if container is gone
  * portoctl: exit with non-zero code for failed vlist and load

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 03 Nov 2017 17:17:40 +0300

yandex-porto (4.2.0) unstable; urgency=low

  * porto: remove working directory where it should not exist
  * porto: add reserves for superuser - host root user
  * porto: add per-slot limit for total size of saved core dumps
  * volumes: add container properties with backward relations
  * core: filter out zero pages from core dump

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 18 Oct 2017 15:46:32 +0300

yandex-porto (4.1.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * test: base version is 4.0.5
  * helper: pass cwd by file descriprtor
  * porto: start task in meta container with mount namespace

  [ Maxim Samoylov ]
  * property: make resolv_conf property dynamic

  [ Konstantin Khlebnikov ]
  * helper: fix building write protected mount namespace
  * porto: document network interface groups
  * volume: refactor state machine
  * volume: remove buggy kludge from UnlinkContainer
  * volume: fix dependency check
  * volume: add error code VolumeNotReady
  * api/python: add VolumeNotReady
  * volume: show all container references

  [ Maxim Samoylov ]
  * api/python: avoid using opened porto socket in children #PORTO-310

  [ Konstantin Khlebnikov ]
  * porto: ignore memory guarantee and limit for stopped container
  * property: add cpu_limit_total
  * portotop: rename and reorder columns
  * portotop: mark rows with '!'
  * network: show statistics from tap interfaces at owner container
  * network: use group "virtual" for L3, veth and tap devices
  * porot: fix error message for memory guarantee overcommit
  * test: fix mem-overcommit
  * test: fix mem-limit-total

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 09 Oct 2017 11:16:01 +0300

yandex-porto (4.0.7) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: update documentation

  [ Maxim Samoylov ]
  * test: disable selftest macvlan_statistics
  * test: perform apt-get update prior to testing upgrade

  [ Konstantin Khlebnikov ]
  * volume: add per-container place space usage limit
  * volume: fix race between DumpConfig and Destroy
  * volume: temporary hack for backward migration
  * porto: show and document some hidden properties
  * test: fix test for parent property

  [ Maxim Samoylov ]
  * test: do not hesitate download unauthenticated stable package
  * util/unix: close all fds except needed after fork in TranslatePid()

  [ Konstantin Khlebnikov ]
  * volume: add propery place_key
  * config: increase default codedump space limit to 100Gb

  [ Maxim Samoylov ]
  * property: deny root_pid requests from other pid domain containers

  [ Konstantin Khlebnikov ]
  * porto: increase mountinfo limit to 64Mb
  * porto: fix requesting root_pid from same container
  * volume: half-baked volumes could have no backend

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 21 Sep 2017 17:56:39 +0300

yandex-porto (4.0.6) unstable; urgency=low

  * porto: disable pressurize_on_death by default
  * contianer: fix misprint
  * test/recovery: replace sleep with proper synchronization
  * porto: make bind-mounts recursive
  * test: remove testcase clear
  * log: make sure fd is not stdout/stderr

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 05 Sep 2017 18:15:47 +0300

yandex-porto (4.0.5) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: stop for stopped container should do nothing
  * porto: cleanup cpu guarantee propagation
  * memory: disable meta container soft limit before starting child
  * property: pressurize_on_death
  * porto: update documentation
  * portotop: move columns by backspace

  [ Maxim Samoylov ]
  * util/unix: fix TranslatePid()

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Sun, 03 Sep 2017 18:04:29 +0300

yandex-porto (4.0.4) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * network: load ip6_tunnel if ip6tnl0 configured
  * porto: add property cpu_period
  * debian: add suggested packages
  * porto: add importing layers from squashfs
  * portoctl: add storage import and export
  * network: setup sysctl via host proc
  * network: do not setup qdisc for ip6tnl0

  [ Maxim Samoylov ]
  * filesystem: modify chroot environment mounts
  * cgroup: add systemd cgroup type

  [ Konstantin Khlebnikov ]
  * porto: set loginuid in container
  * porto: remove access to /dev/rtc0
  * portod: add option for default extra devices into portod.conf
  * porto: propogate cpu guarantee into parent containers

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 30 Aug 2017 17:05:06 +0300

yandex-porto (4.0.3) unstable; urgency=low

  [ Maxim Samoylov ]
  * api/python: always invalidate socket on any problems #PORTO-280

  [ Konstantin Khlebnikov ]
  * porto: fix indentation
  * porto: update documentation

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 21 Aug 2017 14:38:13 +0300

yandex-porto (4.0.2) unstable; urgency=low

  * manpage: add example of NAT configuration
  * network: do not setup proxy ndp for NAT
  * network: do not setup qdisc for dummy devices
  * network: do not touch statistics from other network namespace
  * network: lock also host network state when changing class configuration
  * network: always set ip6tnl0 up
  * volume: add export layers into squashfs
  * quota: add support for journalled ext4 and xfs quota
  * quota: define DQF_SYS_FILE

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 18 Aug 2017 18:47:01 +0300

yandex-porto (4.0.1) unstable; urgency=low

  * cgroup: sum statistics for virtio block deices into "hw"
  * volume: several lower layers for backend squash
  * cgroup: get host disk statistics from recursive counters
  * volume: destroy quota in backend squash
  * volume: add shortcut for read-only squash without extra layers

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 16 Aug 2017 20:13:55 +0300

yandex-porto (4.0.0) unstable; urgency=low

  [ Maxim Samoylov ]
  * porto: tiny fixes to make static analyzers happier #PORTO-258

  [ Konstantin Khlebnikov ]
  * network: debug stale classes

  [ Maxim Samoylov ]
  * network: add net option tap

  [ Konstantin Khlebnikov ]
  * property: add io_weight
  * porto: do not inherit cpu/io policy by isolate=false sub-containers
  * debian: cleanup build dependencies
  * porto: plug warnings
  * porto: rewrite documentation
  * porto: check magic for uncompressed tarball
  * porto: update documentaion
  * porto: deprecate bind_dns and disable by default #PORTO-170
  * porto: fix dependencies for travis

  [ Fedor Korotkiy ]
  * Fix rpm build on fedora 25

  [ ginta1337 ]
  * porto: fix major:minor string format checks in ResolveDisk

  [ Konstantin Khlebnikov ]
  * tests: fix for bind_dns=false
  * tests: fix for bind_dns=false
  * network: cleanup device configuration
  * network: fix net property validation
  * test: cleanup /var/log/portoloop.log
  * porto: set dirty_limit=256M for portod-helpers
  * cgroup: configure cfs reserve for rt in the same way as for high
  * util: remove verbose logging from ClearDirectory
  * porto: more verbose permission errors description
  * filesystem: consider volume ownership for bind-mounts
  * network: recreate proxy neighbours every 60 seconds
  * porto: update documentation
  * util: cleanup SplitString
  * test/fizzer: ignore NoSpace
  * test/upgrade: check upgrade from 3.8.2
  * porto: cleanup documentation
  * layers: add build.sh
  * network: fix warning
  * porto: update documentation
  * volume: refactor loop device
  * volume: enable O_DIRECT for loop backend
  * volume: add squash backend
  * volume: use direct-io for loop starting from 4.4
  * porto: document volume backend=squash

  [ Maxim Samoylov ]
  * client: always print identification info #PORTO-261

  [ Konstantin Khlebnikov ]
  * porto: cleanup wait response
  * porto: add debug logging level

  [ Maxim Samoylov ]
  * container: fix typo in GetEnvironment()

  [ Konstantin Khlebnikov ]
  * porto: load default resolv_conf from host /etc/resolv.conf
  * layers: preserve xattrs if tar supports them
  * porto: refactor deamons and logging
  * porto: turn bind_dns into alias for binding /etc/hosts
  * test: remove bind_dns
  * test: fix root_property
  * portoctl: flush cout in print
  * porto: reset default resolv_conf if container has no root
  * test: fix root_readonly
  * network: initialize statistic generation
  * network: fix ipip6
  * network: allow ip6tnl0 configuration

  [ Maxim Samoylov ]
  * test/porto_fuzzer: remount fuzzer_mnt tmpfs on each start

  [ Konstantin Khlebnikov ]
  * volume: lvm backend
  * volume: add thin lvm backend
  * network: add configuration via iproute in property net
  * volume: document lvm backend
  * network: setup qdisc filter after adding default class
  * util/path: add WriteAtomic and fix WritePrivate
  * porto: deprecate some config options
  * cgroup: handle mainstream non-covercommitable rt cpu_limit
  * porto: update cpu_limit documentation
  * porto: always name container as CT<id> or CT<id>:<name>
  * property: add io_time and total sum for all real disks
  * portotop: disable column by 'd'
  * property/io: resolve relative disk path in chroot, rename "total" -> "hw"
  * portoctl: add save and load
  * porto: load and start saved containers atomatically

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 11 Aug 2017 17:08:34 +0300

yandex-porto (3.9.0) unstable; urgency=low

  [ Maxim Samoylov ]
  * task: fix fd closing prior to execve()
  * portoctl: fix exec cmd interface #PORTO-112
  * property: report more information on container state #PORTO-112
  * test: include performance as main test

  [ Konstantin Khlebnikov ]
  * porto: set default thread_limit to 10000 for first level containers
  * porto: set container ioprio by property io_policy
  * cgroup: try to initialize cpu.rt_runtime_us = -1 for new cgroups

  [ Maxim Samoylov ]
  * net: rework net tc classes creation #PORTO-201
  * property: allow forcing read of actual net stats

  [ Konstantin Khlebnikov ]
  * porto: rename force_data_refill -> sync

  [ Maxim Samoylov ]
  * net: do not throw WRN if object/device not found
  * net: fix locking in NetWorker.RefreshStats()
  * api/python: fixup typo

  [ Konstantin Khlebnikov ]
  * container: use next id instead of first and log it before name

  [ Maxim Samoylov ]
  * api/python: add option for disable auto-reconnect #PORTO-248

  [ Konstantin Khlebnikov ]
  * test: replace perf with python version
  * network: refactor once again
  * porto: set maximum level to 16

  [ Maxim Samoylov ]
  * portotop: always display parents of self container #PORTO-250

  [ Konstantin Khlebnikov ]
  * portotop: select self container initially
  * porto: resolve "/../" in container path
  * porto: container name normalizarion removes extra /
  * porto: add property cache_usage
  * portotop: show only real values
  * portotop: @ - go to self container
  * porto: set default cpu limit back to total cores

  [ Maxim Samoylov ]
  * portotop: menu for column selection
  * portotop: fix legacy mess with memory management

  [ Konstantin Khlebnikov ]
  * storage: limit place load

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 10 Jul 2017 14:45:30 +0300

yandex-porto (3.8.2) unstable; urgency=low

  [ Maxim Samoylov ]
  * path: enhance pivoting root to non-mnt directory #PORTO-243
  * filesystem: verify chroot directory existence

  [ Konstantin Khlebnikov ]
  * network: init virtualized sysctls with host values
  * network: fix misprint
  * network: default net.unix.max_dgram_qlen is 10 systemd set it to 512
  * log: remove duplicate \n

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 05 Jun 2017 17:39:30 +0300

yandex-porto (3.8.1) unstable; urgency=low

  * porto: do not set memory.use_hierarchy for root cgroup

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 02 Jun 2017 17:09:43 +0300

yandex-porto (3.8.0) unstable; urgency=low

  [ Maxim Samoylov ]
  * rpc: traverse volume containers safely
  * test: wait up to 1 minute in mem-recharge
  * test/porto_fuzzer: allow wait for multiple containers
  * test/porto_fuzzer: mind that PermissionError can occur on volume operation

  [ Konstantin Khlebnikov ]
  * layers: add common resolv.conf and hosts

  [ Maxim Samoylov ]
  * util/netlink: fix typo in TNlLink::AddDirectRoute()
  * network: add ipip6 net option #PORTO-239

  [ Konstantin Khlebnikov ]
  * property: document ipip6 interface
  * porto: fix disabling memory controller for first level containers
  * portoctl get: make env human readable
  * porto: enable memory.use_hierarchy for all cgroups unconditionally

  [ Maxim Samoylov ]
  * helpers: use rm -rf instead of find -delete where possible
  * test: test porto performance scalability and regression

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 02 Jun 2017 15:53:31 +0300

yandex-porto (3.7.7) unstable; urgency=low

  [ Maxim Samoylov ]
  * container: do not treat ro container place on start as tragedy #PORTO-238

  [ Konstantin Khlebnikov ]
  * porto: prioritize default_porto_namespace in config during upgrade

  [ Maxim Samoylov ]
  * container: get rid of PrepareWorkDir()

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 22 May 2017 12:56:10 +0300

yandex-porto (3.7.6) unstable; urgency=low

  [ Maxim Samoylov ]
  * test: replace raw asserts with expects in recovery
  * util/path: use correct stringstream type
  * util/path.cpp: simplify TPath::ReadLines() function
  * util/path: do not use /proc/self/mounts as source #PORTO-234
  * test: replace heavy mem_limit test with fast limit sanity test

  [ Konstantin Khlebnikov ]
  * portoctl build: use same network namespace for bootstrap and scripts
  * portoctl top: do first refresh after 300ms
  * portoctl list: fix description

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 18 May 2017 16:40:08 +0300

yandex-porto (3.7.5) unstable; urgency=low

  [ Maxim Samoylov ]
  * kvalue: remove tmp file after failed store attempt
  * test: cpu_limit overhaul
  * portod: process oom eventfd when oom_is_fatal disabled
  * selftest: add missing wait for stdout rotation

  [ Konstantin Khlebnikov ]
  * container: fix race in DistributeCpus
  * container: handle relative cwd

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 15 May 2017 15:19:53 +0300

yandex-porto (3.7.4) unstable; urgency=low

  * devices: always apply default permissions for first level containers
  * devices: check already existing device nodes

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 25 Apr 2017 13:52:36 +0300

yandex-porto (3.7.3) unstable; urgency=low

  [ Maxim Samoylov ]
  * storage: track real names of active paths
  * cgroup: perform active wait for empty cgroup on remove

  [ Konstantin Khlebnikov ]
  * cpuset: two-phase cpu affinity commit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 21 Apr 2017 13:20:53 +0300

yandex-porto (3.7.2) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * container: set default vacant cpus
  * network: fix shared l3 namespace counters

  [ Maxim Samoylov ]
  * volume: drop nested umounts while destructing volume

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 18 Apr 2017 22:05:00 +0300

yandex-porto (3.7.1) unstable; urgency=low

  * network: compare parsed ip addresses for detecting l3 migration

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 18 Apr 2017 16:22:41 +0300

yandex-porto (3.7.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * cpu: forbid cpu reservation if cpu guarantee needs them all
  * cpu: ignore cpu guarantee bigger than machine
  * cpu: add property cpu_weight for scaling cpu shares, nice and priority
  * property: add oom_score_adj
  * portoctl: add option -r to command list: show only running
  * porto: always log requests longer than 1 second

  [ Maxim Samoylov ]
  * portotest,portoctl: get rid of log.hpp include

  [ Konstantin Khlebnikov ]
  * porto: bundle library fmt 3.0.1

  [ Maxim Samoylov ]
  * porto: use fmt for log messages formatting
  * container: add missing cpu affinity lock

  [ Konstantin Khlebnikov ]
  * network: reuse L3 namespaces with identical addresses

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 17 Apr 2017 20:19:19 +0300

yandex-porto (3.6.2) unstable; urgency=low

  * cgroup: fix setting zero dirty limit
  * porto: handle events by special client #PORTO-210

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 05 Apr 2017 13:33:38 +0300

yandex-porto (3.6.1) unstable; urgency=low

  [ Maxim Samoylov ]
  * network: drop tc cache after touching classes tree

  [ Konstantin Khlebnikov ]
  * cgroup: initialize new cpuset cgroups
  * cgroup: update only changed cpu affinity
  * test: remove truncate_logs
  * test/upgrade: check upgrade from 3.2.10

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 30 Mar 2017 19:50:34 +0300

yandex-porto (3.6.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * network: define TC_LINKLAYER_ETHERNET for older linux headers
  * network: linklayer in struct tc_ratespec is __reserved in ancient linux headers
  * porto: forbid write-access in permission checks for procfs
  * container: walk subtree in dfs order
  * util: add bitmap
  * cpuset: exclusive cpu cores

  [ Maxim Samoylov ]
  * net: report net statistics for link groups too

  [ Konstantin Khlebnikov ]
  * network: network limits for devices in group
  * network: do not use thread-unsafe ether_aton
  * network: inherit device group from master device
  * network: cache interface and traffic class statistics for 1s
  * portoctl/get: cleanup human format

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 27 Mar 2017 19:46:27 +0300

yandex-porto (3.5.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * coredump: copy container owner_user and owner_group #PORTO-199
  * util/string: ignore empty flag names

  [ Vsevolod Velichko ]
  * api/python: fix broken storage operations

  [ Konstantin Khlebnikov ]
  * api/python: fix broken storage operations v2

  [ Maxim Samoylov ]
  * rpc: make AttachProcess() comm parameter optional
  * cgroup: treat zero cpu limit as unlimited quota

  [ Konstantin Khlebnikov ]
  * porto: add mode enable_porto=self-isolate
  * test: cleanup test-self-container.py

  [ Maxim Samoylov ]
  * rpc: add LocateProcess() handler #PORTO-200
  * test: add test for LocateProcess() call

  [ Konstantin Khlebnikov ]
  * porto: fix inverted check of volume owner access

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 17 Mar 2017 19:50:54 +0300

yandex-porto (3.4.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * portotop: remove config and duplicate buttons
  * porto: core dump forwarding

  [ Maxim Samoylov ]
  * volume: try removing weak layers after volume unregister #PORTO-194
  * property: override enable_porto hierarchy on restore #PORTO-195
  * test/porto_fuzzer: use net and ip properties
  * portod: always occupate std{in,out,err} on startup

  [ Konstantin Khlebnikov ]
  * porto: add property ip_limit #PORTO-196

  [ Maxim Samoylov ]
  * util/namespace, cgroup: assert special fds value #PORTO-191
  * util: fix fcntl(F_DUPFD_CLOEXEC) parameter for sanity

  [ Konstantin Khlebnikov ]
  * porto: restore network for non-isolated meta container #PORTO-197

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 02 Mar 2017 17:32:52 +0300

yandex-porto (3.3.2) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: append porto_namespace set inside enable_porto=isolate #PORTO-188

  [ Maxim Samoylov ]
  * network: ingress bandwidth limit

  [ Konstantin Khlebnikov ]
  * string: print only up to 1 digit after dicimal point for size values
  * portotop: add net rx bytes
  * portotop: add self and root containers
  * portotop: add borders around dialogs
  * portotop: update data only by periodically
  * portotop: remember selected container
  * portotop: sort states by importance
  * portotop: show memory_limit/guarantee if total not supported
  * portotop: print version
  * portotop: destroy columns before containers
  * portotop: adjust horizontal position

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 24 Feb 2017 17:39:20 +0300

yandex-porto (3.3.1) unstable; urgency=low

  * porto: do not drop active connections
  * porto: carefully check namespace for write access

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 20 Feb 2017 16:47:53 +0300

yandex-porto (3.3.0) unstable; urgency=low

  * test: check dirty_limit
  * test/test-dirty-limit.py: check fs_dirty for older kernels
  * test/test-security.py: fix default porto namespace
  * test/test-portoctl-attach.py: fix default porto namespace
  * test/test-self-container.py: fix default porto namespace
  * test/test-cpu_limit.py: use weak containers
  * test/test-uid_handling.py: fix default porto namespace
  * test/test-prev_release_upgrade.py: fix for default porto namespace
  * tests: reorder by importance and speed
  * porto: do not enable default porto namespace during restore
  * porto: loose namespace restrictions for attaching tasks from current container
  * porto: add mode enable_porto=isolate

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 17 Feb 2017 14:53:12 +0300

yandex-porto (3.2.10) unstable; urgency=low

  * container: do not configire cpu cgroup if controller isn't enabled
  * portoctl: set root volume/storage private in run/exec
  * test: check memory recharge of page faults and mlock #PORTO-185
  * cgroup: disable memory guarantee in old cgrpup during upgrade

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 13 Feb 2017 19:37:08 +0300

yandex-porto (3.2.9) unstable; urgency=low

  [ Maxim Samoylov ]
  * volume: do not consider storage as dependency for some backends #PORTO-181

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 07 Feb 2017 12:57:25 +0300

yandex-porto (3.2.8) unstable; urgency=low

  [ Maxim Samoylov ]
  * api/python: fix typo in AttachProcess() handler #PORTO-178

  [ Konstantin Khlebnikov ]
  * test/test-recovery.py: reduce count 3000 -> 100 containers
  * capabilities: cleanup propagation
  * capabilities: allow CAP_SETPCAP and CAP_SETFCAP in chroot #PORTO-177
  * capabilities: allow CAP_NET_RAW and CAP_NET_BIND_SERVICE in host network #PORTO-177
  * test: cleanup user switching
  * test/test-prev_release_upgrade.py: create containers by unprivileged user
  * test: fixes
  * test/test_common.py: catch exception if user/group not found
  * test/test-knobs.py: run as root

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Sun, 05 Feb 2017 17:20:00 +0300

yandex-porto (3.2.7) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * network: resolve net=container ralative to the client
  * network: remove network capabilities if not isolated from host
  * porto: add property for tuning sysctl
  * porto: silence too verbose event delivery

  [ Maxim Samoylov ]
  * util/quota: search /proc/self/mountinfo for quota mount point

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 01 Feb 2017 17:22:16 +0300

yandex-porto (3.2.6) unstable; urgency=low

  * test: move go_api upper
  * storage: move permissions checks into operations
  * porto: update compiler flags
  * portoinit: disable core dumps
  * rpc: remove unised arguments
  * portod: drop idle client when new client hit connection limit
  * client: client container could be null diring logging
  * logging: print decoded commands in verbose mode

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 27 Jan 2017 18:12:55 +0300

yandex-porto (3.2.5) unstable; urgency=low

  [ Maxim Samoylov ]
  * api/go: sync porto go api
  * api/go: tests for introduced wrappers
  * api/go: change src/api/go directory layout

  [ Konstantin Khlebnikov ]
  * client: always load supplementary groups
  * storage: do not follow symlinks for reading private value
  * storage: require access to place for listing operations too

  [ Maxim Samoylov ]
  * api/go: list layers as objects

  [ Konstantin Khlebnikov ]
  * test: add go_api

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 18 Jan 2017 17:56:46 +0300

yandex-porto (3.2.4) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * volume: add strict unlink with non-lazy umount

  [ Maxim Samoylov ]
  * helpers: fix helper stderr printing
  * test: check quota consistency on overlay copy-up
  * test: check overlay opaque xattr test

  [ Konstantin Khlebnikov ]
  * test: warn if opaque xattr is lost
  * volume: initialize permissions for new loop and overlay in user storage
  * cgroup: kill and remove cgroups harder

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 17 Jan 2017 14:41:58 +0300

yandex-porto (3.2.3) unstable; urgency=low

  * property: ignore dirty_limit setup if not supported by kernel

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 12 Jan 2017 22:47:03 +0300

yandex-porto (3.2.2) unstable; urgency=low

  [ Maxim Samoylov ]
  * test: verify memory limits are hold

  [ Konstantin Khlebnikov ]
  * volume: keep persistent storage after upgrade
  * volume: depend on path parent directory
  * client: suppress warning if client disconnects before reply

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 12 Jan 2017 15:28:38 +0300

yandex-porto (3.2.1) unstable; urgency=low

  * cred: use root group if group porto isn't found
  * porto: report forbidden character in codes
  * storage: guess tarball compressing by magic and allow override in rpc

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 11 Jan 2017 15:09:38 +0300

yandex-porto (3.2.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * layers: keep owner and last usage

  [ Maxim Samoylov ]
  * volume: add internal persistent storage
  * test: check internal persistent storage work

  [ Konstantin Khlebnikov ]
  * filesystem: cleanup and rework permissions checks
  * task: create second socket pair in third process
  * cgroup: disable rt limit if it is bigger than root rt limit
  * helpers: redirect stdout to stderr if no output set

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 10 Jan 2017 12:36:39 +0300

yandex-porto (3.1.10) unstable; urgency=low

  [ Maxim Samoylov ]
  * test/porto_fuzzer: improve error reporting
  * task: silence start L_ERR() when short on memory

  [ Konstantin Khlebnikov ]
  * scripts/prepare_test: fix getent
  * fuzzer: cleanup layers
  * layers: add protobuf-compiler
  * portoctl/build: inherit script environment from launcher
  * portoctl/build: flag StartOS must override property virt_mode

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 26 Dec 2016 17:48:12 +0300

yandex-porto (3.1.9) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * portotop: print days in duration fields
  * porto: add per-container request counter
  * cgroup: add knob cpu_wait
  * cgroup: turn off rt limit before any change
  * cgroup: enforce minimum 1ms per 100ms cpu limit for rt
  * util/string: perform strict string to numeric conversion
  * config: deprecate all path options
  * porto: shorten CurrentContainer and CurrentClient to CT and CL
  * property: add hook into container start
  * porto: allow containers with any user:group in chroot
  * test/knobs: fix for vanilla kernels

  [ Maxim Samoylov ]
  * layer: store private string associated with layer
  * test: cleanup volume_places leftovers on failure
  * test: add cpu_limit test

  [ Konstantin Khlebnikov ]
  * volume: verify overlay storage layout

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 21 Dec 2016 15:38:40 +0300

yandex-porto (3.1.8) unstable; urgency=low

  [ Maxim Samoylov ]
  * python/api: add "non-blocking" TryConnect method
  * test: check if we can use dirty_limit
  * test/porto_fuzzer: do not use killer by default for now

  [ Konstantin Khlebnikov ]
  * portod: synchronize freezer and state in both directions

  [ Maxim Samoylov ]
  * portod: don't be so afraid of pid delivery fail
  * volume: remove invalid volumes after node restore
  * volume: let Destroy clean everything after Build fail
  * test/porto_fuzzer: teach fuzzer trigger master reexec

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 15 Dec 2016 13:01:51 +0300

yandex-porto (3.1.7) unstable; urgency=low

  [ Maxim Samoylov ]
  * test: check containers with cpu rt upgrade

  [ Konstantin Khlebnikov ]
  * test/upgrade: fix for xenial
  * test/upgrade: do not check dirty_limit
  * container: disable smart before migration even with group rt
  * container: not kill tasks in shared cgroups if task start fails

  [ Maxim Samoylov ]
  * test: check failed started child artifacts
  * container: account container failed start requests
  * network: do not dereference invalid cls
  * container: initialize RootPath on restore
  * rpc: resolve volume related to container root in ExportLayer
  * layer: perform import when merging into new layer
  * test: cleanup knobs test
  * property: rework input escaping

  [ Konstantin Khlebnikov ]
  * portod: detect exit of slave earlier

  [ Maxim Samoylov ]
  * test/fuzzer: add option to let fuzzer kill porto
  * test/porto_fuzzer: do not touch pause/resume/respawn for now
  * test: enable killing for fuzzer ctest invocation

  [ Konstantin Khlebnikov ]
  * container: do not log EBUSY for anon_limit
  * client: skip empty group list

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 12 Dec 2016 20:45:42 +0300

yandex-porto (3.1.6) unstable; urgency=low

  * cgroup: fix upgrade for kernels without group rt scheduler

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 05 Dec 2016 20:07:59 +0300

yandex-porto (3.1.5) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * test: two more non-portod fd
  * container: split scheduler policy and cpu cgroup config
  * property: remove error logging if cgroup isn't found

  [ Maxim Samoylov ]
  * test: verify ClearDirectory performance

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 05 Dec 2016 19:14:03 +0300

yandex-porto (3.1.4) unstable; urgency=low

  * cgroup: add cpu rt runtime limit
  * cgroup: remount /sys/fs/cgroup read-write

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 02 Dec 2016 16:02:40 +0300

yandex-porto (3.1.2) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * property: adjust default ulimits
  * container: add thread/process counters and thread limit by pids cgroup

  [ Maxim Samoylov ]
  * test: check stale tc cleanup
  * test: check leaf classes proper restoring
  * helpers: only warn about unsuccessful helper exit
  * util/path: implement UmountNested
  * volume: try to umount nested mountpoints in internal
  * volume: restore volumes in creation order
  * volume: destroy restored volume without containers
  * volume: serialize and maintain dependencies

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 01 Dec 2016 16:55:09 +0300

yandex-porto (3.1.1) unstable; urgency=low

  * test/test-knobs: fix spaces in ulimit
  * property: keep ulmits in text representation
  * property: make ulimit hierarchical

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 25 Nov 2016 18:52:53 +0300

yandex-porto (3.1.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * container: stop root container on shutdown

  [ Maxim Samoylov ]
  * portod: restore runtime context for not stopped containers only

  [ Konstantin Khlebnikov ]
  * client: set TaskCred to root for system client
  * property: allow super user set inconsistent cpu limits
  * property: allow any state of enable_porto for super user
  * property: add boolean flag oom_is_fatal

  [ Maxim Samoylov ]
  * volume: warn user of loop misconfiguration early

  [ Konstantin Khlebnikov ]
  * volume: remove remove clear storage directories using helper
  * volume/overlay: handle as much layers as possible
  * network: add leaf tc classes for each container
  * porto: switch cpu_policy=rt from cpu.smart to SCHED_RR directly
  * cgroup: add blkio bps and iops limits
  * property: fix descriptions and show more network properties
  * property: make ulimit dynamic
  * properties: format ulimits in alphabetical order

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 24 Nov 2016 23:11:02 +0300

yandex-porto (3.0.20) unstable; urgency=low

  * porto: destroy container if some property cannot be restored
  * network: recreate network if something goes wrong
  * test/tc-rebuild: update expected warnings
  * network: try to destroy tc class and craete again if creation fails
  * porto: stop virt_mode=os with SIGTERM/SIGPWR only if signals are handled

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 18 Nov 2016 20:26:13 +0300

yandex-porto (3.0.19) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * container: always sanitize capabilities after restore
  * porto: start systemd service in postinst script
  * bash-completion: split portoctl and portod snippets
  * layers: add libnss-myhostname

  [ Maxim Samoylov ]
  * property: unify multi-value string format
  * test: fix recovery test
  * test: check properties idempotency
  * test: check property values on upgrade

  [ Konstantin Khlebnikov ]
  * test: fix cleanup_logs

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 18 Nov 2016 14:36:14 +0300

yandex-porto (3.0.18) unstable; urgency=low

  * network: add option quantum for per-container leaf qdisc
  * network: use pfifo limit=1000p for leaf qdiscs by default

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 17 Nov 2016 12:46:57 +0300

yandex-porto (3.0.17) unstable; urgency=low

  * capabilies: restore container using system credentials

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 16 Nov 2016 16:30:31 +0300

yandex-porto (3.0.16) unstable; urgency=low

  * property: do not warn about bogus cpu guarantee
  * network: always set net_cls.classid for new cgroups
  * portoctl: split environment before merging back for run and exec
  * portod: fix upgrade from older versions
  * property: add missing SetProp for private and owner_group

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 16 Nov 2016 16:02:46 +0300

yandex-porto (3.0.15) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: add separate state for starting containers
  * property: show root_pid and handle all possible pid namespace combinations
  * property: show tc class id in net_class_id
  * porto: stop virt_mode=os container using SIGPWR
  * selftest: allow SYS_BOOT

  [ Vsevolod Velichko ]
  * api/python: fix ConvertPath
  * api/python: style fixes

  [ Konstantin Khlebnikov ]
  * portoctl: fix command convert
  * network: reconfigure hfsc
  * selftest: fix CAP_SYS_BOOT again
  * selftest: fix net_guarantee check
  * test/test-recovery: fix SYS_BOOT
  * util/cred: retry with bigger buffer
  * container: after failed stop free free resources with write lock
  * util/cred: fix UserName()
  * property: fix net_class_id without network
  * container: fix race in create
  * network: do not enable net_cls for inherited network
  * layers: add debian jessie and stretch
  * layers: fix debian templates
  * property: hide net_class_id

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 14 Nov 2016 14:43:48 +0300

yandex-porto (3.0.14) unstable; urgency=low

  * porto: fix clang warnings
  * portod: redirect stdout and stderr into log
  * util/path: fix use-after-free in ClearDirectory
  * porto: fix stack overflow with address sanitizer
  * property: only warn about cpu guarantee misconfiguration
  * property: add containers_oom into porto_stat
  * porto: print error in TContainer::Load
  * container: disable smart when moving task into new cgroup
  * proprty: add missing colon into ulimit format

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 10 Nov 2016 19:28:25 +0300

yandex-porto (3.0.13) unstable; urgency=low

  [ Maxim Samoylov ]
  * container: set running state earlier
  * test: verify iteraction of owner_user/user with subcontainers

  [ Konstantin Khlebnikov ]
  * porto: save container creation and start time
  * util/unix: gcc 4.x don't have std::put_time
  * cgroup: try to merge memory and blkio together

  [ Maxim Samoylov ]
  * event: fix missed event name
  * portoctl: add wait option for run command
  * test: cleanup logs prior to testing

  [ Konstantin Khlebnikov ]
  * container: after restart apply all set dynamic properties
  * property: memory limit must be at least 1Mb

  [ Maxim Samoylov ]
  * property: allow memory limit to be set as zero
  * test/selftest: fixes after elevated minimum memory limit
  * util/unix: fix typo in TTask::Kill()
  * rpc: use read lock for container kill operation
  * container: allow lock downgrading for potential slow operations

  [ Konstantin Khlebnikov ]
  * cgroup: do not report memory.failcnt as OOM event

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 08 Nov 2016 20:36:41 +0300

yandex-porto (3.0.12) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: recheck container state and age before auto destruction
  * porto: allow device nodes on root filesystem
  * layers: split bootstrap layer into several scripts
  * debian/rules: always install bash-completion

  [ Maxim Samoylov ]
  * helpers: log stderr of failed helper invocations

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 02 Nov 2016 17:34:17 +0300

yandex-porto (3.0.11) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: system client belongs to root container
  * porto: lock parent container for read when creating child
  * util/unix: reap and detach task in TTask::Deliver
  * task: report wpid before starting child or from child task itself
  * property: access to unknown property must return InvalidProperty

  [ Maxim Samoylov ]
  * test: make fuzzer fail more clear
  * test/fuzzer: use owner_user and owner_group knobs

  [ Konstantin Khlebnikov ]
  * test/fuzzer: ignore InvalidProperty

  [ Maxim Samoylov ]
  * test: fix volume_places cleanup
  * test: move killing tests out of portotest executable
  * test: test porto with sequential set of tests
  * test: check portod cli interface
  * test: check if portod can be successfully upgraded and downgraded
  * test: add stub for printing portod state

  [ Konstantin Khlebnikov ]
  * portod: fix log rotation, dead contaienrs gc and network watchdog
  * selftest: reduce load in stdout_limit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 01 Nov 2016 15:41:45 +0300

yandex-porto (3.0.10) unstable; urgency=low

  * porto: fix default porto_namespace for default_porto_namespace

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 21 Oct 2016 16:38:42 +0300

yandex-porto (3.0.9) unstable; urgency=low

  [ Maxim Samoylov ]
  * container: perform property index parsing stricter

  [ Konstantin Khlebnikov ]
  * porto: fix locking around children list
  * porto: do not trust libc getpid after fork
  * container: drop network if restore failed
  * container: remove CallPostorder
  * porto: debug container locks
  * util/task: fix race between fork and exit
  * container: also dump subtree locks
  * porto: split owner and task credentials
  * property: cleanup permissions checks for changing user and group

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 21 Oct 2016 14:12:05 +0300

yandex-porto (3.0.8) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: forbid process attachment to isolated container
  * portod: close pipes in master process after upgrade
  * porto: add property exit_code
  * fuzzer: perform more container actions
  * porto: use more fair read-write lock for containers
  * porto: recreate cgroups and move processes at restore
  * porto: remove legacy cgroup layout
  * porto: handle subprocess exit in main event loop
  * porto: spawn portoinit for non-isolated application containers
  * portoinit: add waiting for non-child process via ptrace seize
  * porto: catch reparented wait tasks with ptrace seize
  * util/task: try to deliver exit status by waiting thread too
  * container: make read lock hierarchical
  * rpc/get: lock all containers for read
  * fuzzer: increase timeout
  * api/python: operation timeout shouldn't be shorter than connection timeout
  * scripts/standalone_test: remove logs before start
  * porto: track requests completion time

  [ Maxim Samoylov ]
  * container: silence error logging on cgroup EINVAL

  [ Konstantin Khlebnikov ]
  * porto: limit count of clients for each container with 500

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 17 Oct 2016 15:35:12 +0300

yandex-porto (3.0.7) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: remove special defaults for containers created by root
  * porto: always create mount namespace and protect proc
  * property: fix dirty_limit applying
  * porto: add hugetlb limit
  * porto: add missing breaks into TContainer::Event()
  * porto: mount hugetlbfs in container
  * porto: make huge pages unlimited by default
  * portoctl/get: do not print empty values

  [ Maxim Samoylov ]
  * container: fix stopping hierarchies with paused children
  * container: set dead state for meta containers in Reap()

  [ Konstantin Khlebnikov ]
  * container: fix IsRoot() in construtor

  [ Maxim Samoylov ]
  * property: enforce child cpu limit and guarantee not bigger than parent setting

  [ Konstantin Khlebnikov ]
  * cgroup: fix anon_usage failback
  * portoctl/get: cut long stdout and stderr
  * container: split Start in two methods
  * porto: increase default threads count to 32
  * volumes: limit count with 3000
  * Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
  * porto: remove non-directories from porto_layers
  * porto: replace Popen with RunCommand
  * volume: verify place our of volume lock
  * porto: after restore destroy weak containers starting from leaves
  * porto: cleanup discard sequence
  * portod: do not destroy root in DestroyContainers
  * porto: get exlusive lock for starting parent containers

  [ Maxim Samoylov ]
  * property: do not allow dirty_limit to be less than 1M
  * property: verify hugetlb limit

  [ Konstantin Khlebnikov ]
  * util/path: add bunch of fd-relative operations

  [ Maxim Samoylov ]
  * network: initialize TNetCfg members

  [ Konstantin Khlebnikov ]
  * container: rework recursive destruction
  * volume: rework recursive destruction
  * porto: add optional pattern to list command
  * porto: allow "?" in wait pattern and match any container by "***"
  * porto: allow container patterns in get command
  * api/python: fix list pattern
  * volume: prevent volume path overlaps
  * portod: keep path to binary in /run/portod
  * cpu: add policy high and batch
  * porto: use ForkFromThread in RunCommand
  * porto: cleanup wait wakeup conditions and locking
  * portoctl: update top header
  * volume: protect state with global lock
  * volume: add property containers for initial links
  * porto: set nice for rt and high cpu policy
  * porto: add cpuset
  * porto: always setup enabled cpuset
  * porto: fix state restoring
  * porto: don't enable cpuset for first level containers by default

  [ Maxim Samoylov ]
  * util/log: Add debug loglevel and use it for stacktraces

  [ Konstantin Khlebnikov ]
  * porto: print stacktrace for each error in verbose mode

  [ Maxim Samoylov ]
  * portod: fix typo
  * portod: stop root container prior to container tree destruction
  * tests: fuzzer essential enhancements

  [ Konstantin Khlebnikov ]
  * test/selftest: add hugepages
  * test/selftest: add hugepages once more
  * porto: attach process operation
  * porto: do not wait thaw when terminate paused container

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 13 Oct 2016 19:28:51 +0300

yandex-porto (3.0.6) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: load cls_cgroup before mounting net_cls cgroup when needed
  * porto/volume: log error if cannot cleanup loop image

  [ Maxim Samoylov ]
  * container: do not remove the container on failed network restore
  * portod: make portod slave stop timeout configurable

  [ Konstantin Khlebnikov ]
  * util/unix: TPidFile
  * portod: remove paths to pid files from config
  * porto: fix self/xxx in root container and portoctl find

  [ Maxim Samoylov ]
  * api/python: rework client-side RPC timeout
  * api/python: get rid of duplicate handlers in RPC

  [ Konstantin Khlebnikov ]
  * api/python: add container method Set(**kwargs)
  * api/python: fix MergeLayer

  [ Maxim Samoylov ]
  * container: verify container state integrity on restore
  * api/python: fix deadline for connection without timeout
  * portod: implement new portod cli

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 30 Sep 2016 20:06:26 +0300

yandex-porto (3.0.5) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: add global reference to root container
  * porto: hide root container from list
  * porto: kill pseudo-container /porto
  * network: add option config.network.proxy_ndp=true/false
  * network: add addrlabel
  * network: add permanent neighbour for host gateway address inside net=L3
  * fuzzer: fix after api changes
  * porto: rewrite structure and locking
  * porto: optional nonblock for get operation

  [ Maxim Samoylov ]
  * layer: implement synchronization for layer operations
  * helper: run helper commands in a separate memory cgroups
  * volume: fail when configuring overlay backend without layers
  * volume: forbid resize of loop volumes smaller than 512M
  * volume: check loop storage collisions more careful

  [ Konstantin Khlebnikov ]
  * util/quota: report NotSupported if cannot enable

  [ Maxim Samoylov ]
  * test: smoke-test for volume backends

  [ Konstantin Khlebnikov ]
  * porto: cleanup temp dir after restore

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 22 Sep 2016 18:10:57 +0300

yandex-porto (3.0.4) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: rework volume state machine
  * volumes: IsLayersSet -> HaveLayers
  * volumes: add backend=bind

  [ Maxim Samoylov ]
  * container: get rid of RootPath() dynamic evaluation

  [ Konstantin Khlebnikov ]
  * container: check .. in root path

  [ Maxim Samoylov ]
  * volume: initialize volume space_limit with existing loop image size
  * volume: let loop backend use regular files as storage
  * volume: implement resize operation for loop backend

  [ Konstantin Khlebnikov ]
  * volume: do not allow read-write loop share storage

  [ Maxim Samoylov ]
  * container: auto-create volume for root with loop image

  [ Konstantin Khlebnikov ]
  * bash-completion: update completion for layers
  * porto: cut container namespace in volume list
  * filesystem: bind mount root for pivot_root only when needed
  * container: cleanup memory limit/guarantee
  * container: mount /run with size of half memory limit

  [ Maxim Samoylov ]
  * volume: fix for segfault on broken volume restore

  [ Konstantin Khlebnikov ]
  * porto: thaw container if freeze failed

  [ Maxim Samoylov ]
  * tests: tests volumes with custom places
  * volume: prevent user from creating unlimited volume

  [ Konstantin Khlebnikov ]
  * volume: sanitize error codes
  * test/test-volume_places: fix
  * layers: install python protobuf by pip
  * test/test-volume_places.py: do not restart porto

  [ Maxim Samoylov ]
  * portod: terminate child process using _exit()

  [ Konstantin Khlebnikov ]
  * network: connect net=L3 and net=NAT to host network
  * porto: create only required cgroups

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 13 Sep 2016 19:34:29 +0300

yandex-porto (3.0.3) unstable; urgency=low

  * api/python: add method Version
  * porto: remove left-over freezer first
  * test/test-mem-overcommit: skip if not supported
  * porto: add more variants for property enable_porto
  * porto: enum for properties
  * porto: apply only changed dynamic properties
  * porto: add requests statistics
  * porto: use blkio.weight=500 for io_policy=normal
  * porto: sanitize stdout_limit restrictions
  * util/unix: fix error detection in RunCommand
  * selftest/stdout_limit: remove container
  * porto: limit count of devpts devices in container with 256
  * layers/common-cleanup.sh: cleanup
  * porto: add custom place for layers and volumes

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 05 Sep 2016 16:20:29 +0300

yandex-porto (3.0.2) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: switch to libnl 3.2.27
  * porto: fix compilation in travis

  [ Maxim Samoylov ]
  * portotop: use hierarhical limits for portoctl top

  [ Konstantin Khlebnikov ]
  * portotop: brighter highlight for sorting column
  * cgroup: bisect steps for reducing memory limit
  * porto: virt_mode=os must be isolated from host

  [ Maxim Samoylov ]
  * property: get rid of knob dependencies on set action

  [ Konstantin Khlebnikov ]
  * property: keep bind_dns=true but bind only when needed
  * property: virt_mode=os must be isolated from host network
  * property: remember custom umask
  * property: apply defaul defaults for empty set
  * property: inherit environment variables only within isolation domain
  * property: cleanup inheritance
  * property: deprecate start_errno
  * porto: remove obsolete scripts
  * filesystem: remount debug/tracing bind read-only
  * porto: remount sysfs to show devices in new netns
  * porto: add scripts for building layers
  * scripts/prepare_layers: update layers
  * layers: add python-protobuf into common-devel.sh

  [ Maxim Samoylov ]
  * test: add tests with security-related cases

  [ Konstantin Khlebnikov ]
  * test/test-security.py: cleanup and fixup

  [ Maxim Samoylov ]
  * portoctl: print help on stdout instead of stderr
  * portoctl: exit with EXIT_SUCCESS if server alive

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 29 Aug 2016 13:59:40 +0300

yandex-porto (3.0.1) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * util: remove sha256
  * selftest: replace "true" with "/bin/true"
  * porto: disable default porto_namespace for now
  * porto: make porto_namespace non-dynamic
  * client: special clients are not accounted
  * portoctl: remove command enter
  * porto: refactor traffic classes
  * porto: tune htb configuration again
  * porto: speedup container destroy
  * test: use portoctl from current directory
  * test: the same for portoinit
  * porto: deprecate net="host", replace net="host <name>" with net="steal <name>"
  * porto: ignore missing tc class when removing
  * test: use portoctl from current directory
  * volume: add backend tmpfs
  * volume: default permissions are 0775
  * porto: add per-device network configuration
  * porto: add sfq qdisc into default class of htb
  * volume/tmp: add resize
  * network: calculate rate and ceil from network device speed
  * network: add bfifo qdisc to leaf htb classes

  [ Maxim Samoylov ]
  * porto: do not respawn container if parent is not running

  [ Konstantin Khlebnikov ]
  * network: do not add leaf qdisc if class creation failed
  * porto: do not touch cgroup if new memory limit is the same
  * network: add support for HFSC
  * network: handle HFSC statistics
  * test: fix test-tc-rebuild.py for hfsc
  * network: replace HTB with HFSC

  [ Maxim Samoylov ]
  * property: fix ulimit keyword

  [ Konstantin Khlebnikov ]
  * volume: harden space_guarantee and disable journal for backend=loop

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 22 Aug 2016 14:02:37 +0300

yandex-porto (3.0.0) unstable; urgency=low

  [ Konstantin Khlebnikov ]
  * porto: add symlinks /dev/std{in,out,err}

  [ Maxim Samoylov ]
  * porto: fix selftest for root environment
  * porto: fix property restore bug
  * porto: clean up read-only ctor for knobs
  * porto: move string to string list conversion to util/
  * porto: support indexing for reworked properties
  * porto: rework virt_mode property and its dependencies
  * porto: rework root_readonly property
  * porto: rework hostname property
  * porto: rework env property
  * porto: rework bind property
  * porto: rework ip property
  * porto: hidden flag for refactored properties
  * porto: rework capabilities property
  * porto: rework default_gw knob
  * porto: rework resolv_conf property
  * porto: rework devices property
  * porto: implement separate interface for knob saving/restoring
  * porto: rework raw properties
  * porto: rework ulimit property
  * porto: rework porto_namespace property
  * porto: rework stdout limit property
  * porto: rework memory limit property
  * porto: rework anon_limit property
  * porto: rework dirty_limit property
  * porto: rework recharge_on_pgfault property
  * porto: add helper functions to work with cpu shares
  * porto: rework cpu limit-related properties
  * porto: rework io limits properties
  * porto: extract UintMap string helpers to util/string.cpp
  * porto: rework net limit properties
  * porto: rework respawn properties
  * porto: rework private property
  * porto: reworked stub for unsupported NetTos knob
  * porto: rework aging_time property
  * porto: rework enable_porto property
  * porto: rework weak property
  * porto: rework external weak container creation
  * porto: save container state after each state change.
  * porto: rework absolute_name and absolute_namespace data properties
  * porto: rework state property
  * porto: rework oom_killed read-only property
  * porto: rework parent data field
  * porto: rework respawn_count read-only property
  * porto: rework root_pid data field
  * porto: rework exit_state read-only property
  * porto: rework start_errno data field
  * porto: rework container stdout/stderr retrieval interface
  * porto: rework container memory statistics data fields
  * porto: rework container cpu accounting data fields
  * porto: rework container net statistics data fields
  * porto: rework container io statistics data fields
  * porto: rework time data field
  * porto: rework porto_stat data field
  * porto: remove old property and data heritage
  * porto: replace auto type in common.hpp
  * porto: volume property interface rework
  * porto: drop TValueMap and friends
  * porto: fix race on volume layers tmp dir creation
  * porto: fix wrong exit call in the forked child.
  * porto: move container property definitions to its implementation
  * porto: move property declaration next to method definitions
  * porto: encapsulate property names and description
  * porto: make property definition clearer

  [ Konstantin Khlebnikov ]
  * porto: check user permissions for bind mount source path
  * porto: execute requests from containers in behalf of their owners
  * portoctl: fix property list alignment
  * volume: initialize IsReadOnly

  [ Maxim Samoylov ]
  * porto: add standalone test script
  * porto: re-implement porto fuzzer in python
  * porto: run python tests in standalone_test
  * porto: drop root privileges in test/test-api.py
  * porto: generalize python tests a bit
  * porto: introduce mem_total_limit knob

  [ Konstantin Khlebnikov ]
  * porto: autodetect bind mount mode if ro/rw not specified
  * util/string: add StringParseFlags and StringToBool
  * porto: check write permissions for bindmount target
  * porto: refactor capabilities
  * porto: enforce capabilities limit of parent containers
  * properties: cleanup initialization
  * volume: cleanup properties
  * porto: cleanup standalone test
  * network: sanitize htb configuration
  * network: fix compilation
  * porto: cleanup version control
  * porto: do not run test when building package
  * selftest: update default capabilities limit
  * porto: allow any bind mount for source/target owners
  * selftest: remove restarts from tests
  * selftest: do not check cgroups of current process
  * selftest: use 9999 for numeric uid/gid tests
  * util/path: fix misprint in read write access check
  * selftest: fix permissions TestPaths
  * porto: change owner of auto created bind mount target
  * selftest: do not expect zero cpu, mem and net usage of portod
  * selftest: do not expect zero io counters of portod

  [ Maxim Samoylov ]
  * porto: fix broken container stop semantics
  * porto: stop using SIGTERM for meta container on stop

  [ Konstantin Khlebnikov ]
  * porto: move tests out of source directory
  * selftest: update test for capabilities
  * selftest: add branches for new cpu-guarantee
  * util/cred: load users by numeric id
  * porto: change supplementary groups when user changed
  * test: cleanup test user layout
  * test: update test-unpriv-cred.py
  * selftest: fix boundled cgroup detection
  * selftest: update fd checks
  * selftest: truncate logs
  * porto: update .gitignore
  * scripts/standalone_test pass arguments into portotest
  * test/test-unpriv-cred.py: fix and check more corner cases
  * porto: cleanup cmake
  * porto: move GIT-VERSION-GEN to scripts/version
  * AUTHORS: Maxim Samoylov
  * porto: move libnl into root cmake file
  * travis: move script and enable external libnl
  * porto: fix non-isolated root_pid for requests from parent container
  * portoctl: do not hide invalid virt_mode

  [ Vladimir Vishnevsky ]
  * Introduced 'Install required dependecies' section Fixed debian build

  [ Konstantin Khlebnikov ]
  * porto: move travis script into config
  * porto: fix c++ compiler version check
  * porto: use gcc 4.7 in travis
  * porto: fix external libnl for ancient cmake
  * test: check error counters after restart
  * test: fix path to python tests
  * test/test-mem-overcommit: scale down checks to megabytes
  * porto: restrict character set for layer names
  * util/path: optionally check parent permissions for non-existent files
  * filesystem: detach mount namespace operations
  * filesystem: require write permission for binding into system directories
  * filesystem: strictly check read pemission for binding system directories
  * filesystem: check write permission for parent directory when creating bind mount target
  * porto: rewrite key-value serialization
  * porto: configure porto_namespace by default for all containers
  * selftest: remove testcase "bind_property"
  * util/mount: cleanup and move into path
  * util/unix: refactor and rename Run to RunCommand
  * porto: cleanup container startup
  * test/test-portoctl-exec.py: run by current user
  * util/path: UmountAll should umount ALL layers of mountpoints
  * porto: write custom resolv.conf into file in /run
  * task: remove old methods
  * porto: change /etc/hostname in the same way as /etc/resolv.conf
  * porto: run sub-commands in read-only mount namespace
  * porto: property resolv_conf overrides bind_dns
  * porto: add property umask, change default to 0002
  * porto: mount read-only tracefs part of debugfs
  * porto: drop effective capabilities before opening stdout inside container
  * porto: refactor stream management
  * property: cleanup enable_porto
  * property: cleanup cwd
  * porto: test presence of custom stdout/stderr outside container
  * porto: do not remove custom stdout/stderr files
  * porto: refactor stop, pause, exit sequences
  * porto: refactor client management
  * porto: do not reap stopped sub-containers
  * porto: rewrite restoring sequence
  * overlay: escape paths in arguments
  * porto: cleanup string split/merge operations
  * volume: verify set properties
  * porto: replace TScopedFd with TFile
  * volume: pin layers before checking permissions
  * stream: recheck real path

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 10 Aug 2016 16:14:09 +0300

yandex-porto (2.11) unstable; urgency=low

  * porto: recreate $ROOTFS/run subdirectories in the container
  * porto: rework container save/restore code
  * porto: check group membership also by group name string
  * porto: let TClient instance be created without TEpollSource backing
  * porto: let unprivileged users manipulate containers with non-matching owner
  * porto: let unprivileged user change container user/group
  * porto: add test for unprivileged client setting container credentials
  * porto: add set state tracking for reworked knobs
  * porto: add unsupported flag for reworked properties
  * porto: fix hierarchy memory guarantee accounting
  * porto: add test for memory guarantee overcommit prevention
  * porto: add read-only flag for reworked properties
  * porto: add memory_guarantee_total read-only knob
  * porto: minor fix for memory_guarantee_total knob
  * porto: hide memory_guarantee_total if no supported
  * porto: set oom_killed if application hit the limit during the execution
  * network: set default rate to 1mbit for all htb classes except root
  * test/selftest: fix net_guarantee

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 21 Jun 2016 15:33:01 +0300

yandex-porto (2.10) unstable; urgency=low

  * util/cgroup: test cgroup harder
  * porto: add knob cpu_usage_system
  * porto: merge container property and data
  * porto: proxy properties for cgroup attributes
  * porto: use cfs reserves for cpu policy and guarantee if available
  * porto: clear config state before reload
  * porto: keep map of shared network namespaces
  * porto: move containers map and lock out of crappy code
  * porto: add unmanaged network devices and device groups
  * porto: rebuild network classes for new devices
  * porto/test: default cpu guarantee is 0
  * porto: match unmanaged devices as wildcard
  * porto: remove host qdisc from managed network devices at stop
  * porto: shift base cpu shares to 1024 and add guarantees to it

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 20 May 2016 17:56:27 +0300

yandex-porto (2.9) unstable; urgency=medium

  * network: include net/if.h for flags IFF_*
  * util/log: fix deadlock around localtime_r kludge
  * porto: increase clients limit and update fd rlimit
  * porto: add container start timeout
  * util: move fork/localtime kludge from log into unix
  * porto: cleanup task start and wakeup sequence
  * portoctl: implement WaitAll operation
  * api/go: regenerate rpc, add CreateWeak TuneVolume WaitAll
  * porto: remove WaitAll
  * porto: add wildcard wait
  * porto: refactor version management
  * porto: add command line option "--verbose"
  * porto: use system libnl
  * porto: add anon_usage and anon_limit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 06 May 2016 19:54:25 +0300

yandex-porto (2.8.8) unstable; urgency=medium

  [ Vsevolod Velichko ]
  * api/python: invalidate connection on read failure
  * api/python: check on disconnect if sock is already removed

  [ Konstantin Khlebnikov ]
  * debian/yandex-porto.upstart: wait for yandex-networking
  * client: always log client fd
  * client: warn if request comes before previous response
  * client: handle zero send return at fastpath
  * client: ignore error if client has died before identification

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 11 Apr 2016 13:47:50 +0300

yandex-porto (2.8.7) unstable; urgency=medium

  * portod: fix leak of client slots
  * task: close other end of control unix socket if fork fails
  * network: lock network while reconstructing interfaces
  * porto: limit maximum container nesting level

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 01 Apr 2016 13:14:42 +0300

yandex-porto (2.8.6) unstable; urgency=medium

  * porto: add pseudo-container "self" as an alias for client container
  * portoctl: forward terminal only if all streams are tty
  * api/python: fix protobuf generation
  * porto/volume: always use loop by default if quota requested but not supported
  * porto: do not inherit parent environment by os container
  * porto: reuse server socket during reload and upgrade
  * selftest: check total_max_rss instead of max_rss
  * porto: make absolute names really absolute
  * porto: unlock herarchy during start
  * portoctl: show busy containers in list

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 30 Mar 2016 12:11:20 +0300

yandex-porto (2.8.5) unstable; urgency=medium

  * portoctl: add option for changing timeout and increase default to 600s
  * portoctl: add bash completion for wait
  * portoctl: remove default request timeout

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 28 Mar 2016 10:20:11 +0300

yandex-porto (2.8.4) unstable; urgency=medium

  * porto: update network limit and guarantee in runtime
  * porto: warn in log about missing tc classes
  * porto: rebuild tc classes if creation fails
  * porto: add test for tc rebuild
  * porto: do not log remove error if cgroup doesn't exist
  * porto: log ENOSPC from PrepareWorkDir as notice
  * porto: log attempt of changing locked variable as notice
  * porto: less racy task cgroup fixup during restore

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 25 Mar 2016 17:10:21 +0300

yandex-porto (2.8.3) unstable; urgency=medium

  * portoctl: do not isolate network for shell -u root
  * libporto: move into namespace Porto
  * porto: ignore setting locked variables PORTO_HOST and PORTO_NAME
  * portoctl: add connection timeout
  * porto: do not log wait timeout responses
  * portoctl: vunlink -A for unlinking from all containers
  * porto: update description of container and volume properties
  * porto: revert default cpu_guaratee=1c / cpu.shares=1024

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 22 Mar 2016 13:06:30 +0300

yandex-porto (2.8.2) unstable; urgency=low

  * util/path: split Bind and BindRemount operations
  * util/path: mount option string must fit into page
  * porto: explain wait result in log
  * util/signal: fix message in FatalSignal
  * portoctl: do not set virt_mode=app in launcher
  * network: match master interfaces with wildcards
  * network: disable IPv6 DAD in new network namespaces
  * network: add IPv6-SLAAC autoconf
  * porto: remove restricted root user
  * porto: allow owner to start isolate=false virt_mode=os sub-containers
  * portoctl: add -u/g for shell subcommand
  * portoctl: do not permute non-option arguments
  * portoctl: check arguments count after parsing options
  * portoctl: layer -L needs no arguments
  * network: wait in start for autoconf

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 14 Mar 2016 18:04:20 +0300

yandex-porto (2.8.1) unstable; urgency=low

  * portod: fix missing errors from mount
  * volume: fallocate loop image and chown to user
  * portoctl: fix forwarding non-termianl streams
  * portoctl: allow building filesystem images

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 04 Mar 2016 18:46:14 +0300

yandex-porto (2.8) unstable; urgency=low

  * selftest: do not change hostname
  * selftest: do not touch porto config
  * portoinit: rewrite in c
  * porto: include stdint with __STDC_LIMIT_MACROS
  * selftest: bump noop memory_usage threshold
  * property: refactor net_limit, net_guarantee, net_priority
  * util/signal: refactoring
  * api/cpp: refactoring
  * api/cpp: separate client and server code
  * property: refactor cpu_limit and cpu_guarantee
  * porto: silence warning about deprecated container.scoped_unlock in config
  * selftest: check cpu_guarantee 0.5c instead of 10c
  * property: user:group always set to creator
  * property: io_limit and io_ops_limit are hierarchical
  * property: root_readonly and resolv_conf affects all childs
  * property: refactor environment variables
  * property: refactor enable_porto and porto_namespace
  * volumes: repalce set with vector
  * property: replace set of states with three bits
  * util/cred: add LastCapability
  * quota: reset current project id before creation
  * quota: always lookup project before resize and destruction
  * quota: round space hard limit up to QIF_DQBLKSIZE
  * volume: add backend=quota
  * volume: get space usege from quota
  * porto: add volume tune request
  * volume: tell if volume path or storage not exist
  * portoctl: get volume absolute path before requesting
  * portoctl: remove config
  * stream: remove std*type
  * util/path: carefully handle symlinks
  * portoctl: rewrite run, exec, shell, build
  * volume: fix creation of backend=plain
  * volume: rework statfs and guarantees
  * volume: show inode limit/usage/available and guarantee properties
  * volume: make guarantees tunable
  * util/file: remove
  * portod: add CAP_MKNOD and CAP_AUDIT_WRITE to VM and drop root device check
  * portod: do not restrict default devices for root user
  * portod: auto remove layers with names begins with "_weak_"
  * portoctl: get absolute path for tarballs
  * portoctl: parse properties in launcher
  * portoctl: rework build command for non-root users

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 02 Mar 2016 16:20:17 +0300

yandex-porto (2.7.11) precise; urgency=medium

  * cgroup: fix unlimited memory limit

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 15 Feb 2016 22:18:56 +0300

yandex-porto (2.7.10) precise; urgency=medium

  * cgroup: enable memory.use_hierarchy unconditionally
  * util/path: add plain stat
  * util/cred: refactoring
  * cred: deprecate custom root users and groups
  * property: devices
  * porto: remove socket path from config
  * config: mark deprecated options with attribute
  * porto: deprecate journals
  * porto: deprecate volumes.enabled
  * porto: deprecate container.scoped_unlock
  * porto: deprecate network.debug
  * porto: deprecate daemon.debug

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 15 Feb 2016 16:43:01 +0300

yandex-porto (2.7.9) precise; urgency=medium

  * api/python: connect and reconnect automatically
  * script/test: run portotest from build directory
  * network: generate names of veth host side automatically
  * network: fix L3/NAT separation
  * properties: remove hierarchy validation

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 08 Feb 2016 19:34:28 +0300

yandex-porto (2.7.8) precise; urgency=medium

  * network: add optional master device for L3 and separate option for MTU
  * util/idmap: plug false-positive warnings about uninitialized id
  * task: close other side of control socket before reading
  * network: remove freed nat ip from property
  * network: add host network into map
  * network: fix htb qdisc validation
  * network: restore tc classes in shared network
  * selftest: noop memory usage could be non-zero
  * netlink: remove extra new line after dump
  * portod: fix false-positive warnings when client suddenly disconnects
  * porto: fix false-positive errors at restoring network for zombies
  * test/stress: ignore lost status after restore
  * debian: remove portod.conf
  * debian: put logrotate into logrotate.d, rotate daily and hourly
  * debian: remove portotest
  * debian: wait for cgred on precise and cgroup-lite on trusty
  * util/log: do not break logging completely at first early warning

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 04 Feb 2016 13:21:34 +0300

yandex-porto (2.7.7) precise; urgency=medium

  [ Konstantin Khlebnikov ]
  * property: add resolv_conf
  * idmap: add dynamic base index and error code to put
  * util/netlink: more address operations
  * network: add net=NAT
  * portod: add weak containers

  [ Vsevolod Velichko ]
  * api/python: remove SetTty

  [ Konstantin Khlebnikov ]
  * stream: assign controlling termianal for child task

  [ Vsevolod Velichko ]
  * api/python: remove linuxtty import
  * api/python: fix api for weak containers

  [ Konstantin Khlebnikov ]
  * selftest: add property "weak"
  * portod: add separate rpc request for weak containers
  * idmap: fix typo
  * network: log interfaces update when adding tc classes
  * network: do not manage host end of veth
  * portod: remove ack source when slave process exits

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 26 Jan 2016 18:00:19 +0300

yandex-porto (2.7.6) precise; urgency=medium

  * container: Efd -> OomEventFd
  * porto: do not leak log fd into task in "stdlog" mode
  * property: TStdSwitchProperty -> TStdTypeProperty
  * stream: Type -> Stream, Impl -> Type
  * stream: move std -> stream
  * stream: hide std*_type properties
  * stream: open /dev/null from host
  * stream: open /dev/tty as client tty
  * test/selftest: comment std*type
  * network: do not generate mac for macvlan if hostname is not set
  * statistics: count containers, volumes and clients
  * volume: plug memory leak, break reference loop
  * portoctl: fix columns in vlist
  * network: manage all created interfaces in new netns
  * stream: drop /dev/tty, redirect /dev/fd/%d into path of client file descriptor
  * stream: check client permissions for fd before redirection
  * stream: initialize rotation loss to zero

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 21 Jan 2016 12:57:27 +0300

yandex-porto (2.7.5) precise; urgency=medium

  * cgroup: fix another crash in ChildsAll
  * portod: async request/response transport

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 18 Jan 2016 17:57:39 +0300

yandex-porto (2.7.4) precise; urgency=medium

  [ Vsevolod Velichko ]
  * api/python: return slavept filepath in SetTty

  [ Roman Gushchin ]
  * rpc: add path convertation ability to rpc
  * rpc: handle path convertation request
  * C++ API: add path convertation function
  * go API: add path convertation function
  * python API: add path convertation function
  * portoctl: add path convertation option
  * test: add test for path conversion
  * build: fix compiler warnings
  * std: rework pty std type implementation

  [ Konstantin Khlebnikov ]
  * util/file: remove ugly Remove
  * cgroup: rework removing
  * util/path: print mode in octal format
  * util/path: add ReadAll, WriteAll and ReadLines
  * cgroup: refactoring
  * selftest: update leak test
  * cgroup: fix proc/pid/cgroup parser
  * portod: do not leak fd on error paths in AcceptClient
  * container: restore non-isolated meta containers
  * cgroup: remove leftovers harder
  * cgroup: attach daemon into correct hierarchies
  * cgroup: keep leading slash in cgroup name
  * cgroup: cleanup pid to container lookup
  * cgroup: cleanup oom event setup
  * cgroup: fix some log messages
  * cgroup: fix crash in ChildsAll
  * portod: close client connections explicitly and print some useful details
  * portod: disable journals

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Thu, 14 Jan 2016 12:11:19 +0300

yandex-porto (2.7.3) precise; urgency=low

  * std: close fifo's when container dies
  * property: return cpu_limit and cpu_guarantee in cores
  * property: allow read-only access to properies of / and /porto
  * network: plug leak in GetInterfaceCounters
  * properties: add network RX counters
  * util/string: add UintMap operations
  * network: detect L3 mtu automatically
  * network: disable DAD for assigned ip addresses
  * network: add L3 configuration
  * api/python: update package version
  * api/python: add SetTty method
  * network: update interfaces if tc update failed
  * util/string: cleanup
  * property: refactor size value parsing and formatting
  * util/string: add StringFormat
  * idmap: remove custom bitmap
  * volume: use string volume id
  * selftest: use /bin/true as noop command
  * property: rename iops_limit into io_ops_limit
  * util/mount: remove mountpoint operations
  * util/path: add CreateAll
  * selftest/data: noop memory usage must be zero
  * util/path: refactor permissions check
  * util/path: remove GetType
  * util: remove TFolder
  * util/path: add ListSubdirs
  * std: add support for pty std type
  * std: refactor stdin/stdout/stderr handling and support for fifo std type
  * cosmetic: fix a typo
  * selftest: use direct-io in data test
  * selftest: check io stat more carefully
  * task: do not chown non-regular stdout
  * selftest: io stat works both for cfq and fsio
  * property: add flag UNSUPPORTED_FEATURE
  * property: rename TValueMap::SetString into SetValue
  * property: return error from GetString method
  * property: do not read content of non-regular stdout
  * data: add io_ops like io_read/write it shows fs and blk statistics
  * property: add iops_limit
  * selftest: fixup data test
  * container: track stdout offset and allow indexed access
  * property: network config must be persistent
  * property: cleanup
  * properties: refactoring
  * volume: do not verify empty set of layers

 -- Roman Gushchin <klamm@yandex-team.ru>  Fri, 25 Dec 2015 17:13:22 +0300

yandex-porto (2.7.2) precise; urgency=low

  * util/mount: get the last matching mountpoint

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Tue, 15 Dec 2015 14:57:27 +0300

yandex-porto (2.7.1) precise; urgency=low

  [ Konstantin Khlebnikov ]
  * util/netlink: bring up slave interface
  * net: fix ip configuration inside container
  * network: move network configuration into network code
  * network: set net=host for root container
  * network: refactor netlink once again
  * network: prepare new connect operations
  * network: create and configure network before starting container
  * container: restore stdpaths from porto older than 2.7
  * property: allow creation new netns together with isolate=false
  * property: allow changing hostname together with isolate=false
  * container: create new mount namespace if bind_dns=true
  * property: completely remove PARENT_RO_PROPERTY
  * network: dump found qdisc at restore
  * selftest: custom hostname in isolate=false now supported
  * selftest: custom hostname in isolate=false now supported v2
  * container: remove kludge for nested mount namespace
  * network: hide rtnl_link poriner in TNlLink
  * util/unix: really check errors from popen
  * selftest: check mavclan statistics using ipv6/ra setup
  * selftest: race in GetState
  * selftest: non-zero exit from pgrep is ok
  * layer: tell if tarball not found at import
  * util/mount: also check device of target when looking for mountpoint
  * kvalue: cleanup

  [ Roman Gushchin ]
  * volumes: use full container name when unlinking volumes
  * go API: don't fill container field with empty string

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Mon, 14 Dec 2015 18:09:24 +0300

yandex-porto (2.7) precise; urgency=low

  * properties: resolve relative bind src based on parent cwd
  * volume: fix typo
  * util: remove old quota
  * volume: rewrite quota management
  * util/quota: rewrite quota management
  * util/path: add GetInode
  * portotop: show cpu usage as percent of system time, not system usage
  * properties: fix compilation
  * container: remove loop temporary directory recursively
  * container: correctly remove stdout/err at restore
  * credentials: do not load user/group from chroot
  * properties: set default cwd to / if we're chrooted in any way
  * properties: root path is now relative to parent container's root
  * network: unify traffic class hierarchy
  * selftest: fix paths test
  * util/cred: fallback to single group if cannot get supplementary
  * network: refactor qdisc
  * container: fix typo in FreeResources()
  * selftest: implement new paths test
  * selftest: sssd can open up to 3 file descriptors
  * selftest: rearrange tests to get errors faster
  * selftest: don't expect bind path's check for accessibility
  * container: resolve stdin/stdout/stderr relative to parent namespace
  * properties: don't check paths for existance and accesibility
  * properties: don't convert paths in properties
  * util/path: implement /= operator
  * util: log mount source as well as destination
  * network: refactor traffic classes
  * network: add simple cache of interfaces
  * network: move ip/gw configuration into NetCfg
  * network: deprerecate network.devices and network.alias
  * network: do not use host network for dead containers
  * test: check error counters after each testcase
  * task: rework error report ordering
  * network: do not remove default traffic class
  * network: remove unused TFilter
  * network: always open rtnl via jumping into namespace
  * util: fix SetCap()
  * util: fix build
  * cosmetic
  * portod: remove obsolete --nonet CLI option
  * cleanup: don't throw std::bad_alloc if there is no memory
  * cleanup: remove TScopedMem
  * Merge pull request #19 from noxiouz/bugfix_goapi_createvolume
  * cosmetic: follow code style
  * util: remove unnecessary malloc in SetCap()
  * network: create intermediate htb class 1:3 in isolated net namespaces
  * go API: bugfix in CreateVolume
  * api/python: add optional constructor argument for connection lock
  * api/python: add custom socket constructor
  * api/python: remove unused _rpc methods
  * api/python: pep8 fixes
  * docs: fix ulimit syntax description
  * porto: rename qdisc into network
  * test: for now there is no netlink event socket
  * test/selftest: remove sleep kludge
  * porto: send netlink socket from child task
  * porto: syncrhonze network configuration
  * Merge pull request #18 from noxiouz/goapi_improvements
  * net: release TNetwork in TContainer::Destroy()
  * net: call TNetwork::Destroy() from destructor
  * net: add TContainer::SetTNetwork(), rearrange code
  * net: make TContainerHolder::NetNsMap private, add simple gc
  * net: take host network whenever it isn't possible to get proper net ns
  * task: simplify start procedure
  * net: fix network restoration
  * selftest: don't expect that network counters are persistent
  * net: don't restore network for reparented and dead processes
  * cotnainer: don't report imaginary errors
  * container: split Start() into Start() and Start2()
  * util/net: make TNlClass, TNlHtb, TNlCgFilter, etc stateless
  * net: remove shared_ptr link to TNetwork from TFilter
  * net: remove shared_ptr links to TNetwork from TTclass and TQdisc
  * net: keep [net ns inode]->std::shared_ptr<TNetwork> map in Holder
  * util: implement TNamespaceFd::GetInode()
  * container: restore network (no net nemspaces yet!!!)
  * net: compare htb qdiscs default classes correctly
  * net: log rtnl_qdisc_alloc_cache() errors
  * selftest: don't expect network ifaces check on setting properties
  * net: initialize TNetwork just after container start
  * net: don't check network ifaces on properties setting
  * net: remote links to TNetwork from TContext and TContainerHolder
  * net: open netlink connection in TNetwork::Connect()
  * task: log errors during container start
  * task: enter new net namespace, get netlink fd and pass to portod
  * util: set default class for htb qdisc properly
  * util: add ability to specify netlink socket on connect
  * util: add methods for sending/receiving fds via unix sockets
  * cosmetic: fix typo
  * go API: rename NewConnection to Connect
  * scripts/test: use dch --force-bad-version
  * api/python: fix exception handling in Connection.DestroyVolume

 -- Roman Gushchin <klamm@yandex-team.ru>  Fri, 04 Dec 2015 16:56:33 +0300

yandex-porto (2.6.1) precise; urgency=low

  [ Anton Tiurin ]
  * go API: remove Append as there is standart way to do it
  * go API: Check errors before reading a result
  * go API: Expand sturcts initializations
  * go API: range over values in arrays to use a value. Append to arrays without iteration, when it's possible
  * go API: Bugfix: RecvData returned invalid result if incoming data

  [ Konstantin Khlebnikov ]
  * api/python: remove unneeded argument of Container.Resume
  * api/python: fix Container.Get()
  * api/python: add method Container.Destroy()
  * api/python: add method Connection.ListContainers()
  * api/python: add volume-api
  * test: add test-api.py
  * test-api.py: fixup Container.Resume()
  * test-api.py: fixup formatting
  * portod: create and cleanup /place/porto at startup
  * container: fix crash in restoring borrowed network
  * api/python: cleanup new api
  * property: fix 'env' format specification description
  * property: porto_namespace is a container namespace
  * property: update io_limit description
  * property: cpu limit/guarantee can be zero, float and might be in cores

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 18 Nov 2015 12:15:52 +0300

yandex-porto (2.6) precise; urgency=low

  * net: treat 0 and 1 rate values as equal when comparing tc classes
  * net: repair selftests after changing net properties syntax
  * net: implement whiteouts for net prio/limit/guarantee
  * net: allow setting net_guarantee to 0
  * net: allow setting default prio/limit/guarantee
  * docs: add links to Go API
  * subsystem/memcg: report actual minor faults not the total count
  * subsystem/memcg: use callback for capturing fsio read_bytes
  * subsystem/memcg: add callback into statistics parsing
  * portoctl/build: make output and script mandatory
  * cli/ICmd: add method PrintUsage
  * portoctl/exec: do not remove container if run failed
  * selftest: use sort for triggering oom
  * scripts/test: revert changelog changes after build
  * container: always create and remove working directory
  * util/log: simplify log file opening
  * volumes/mount: replace TFolder with TPath
  * util/path: add MkdirAll
  * cleanup: remove config().network().enabled()/dynamic_ifaces()
  * porto: report fsio statistics and use it in portoctl top
  * portoctl: get command should print error if container does not exist
  * porto: change mode of key-value files to 0600
  * go API: initial version
  * util/path: handle append-only and immutable files
  * porto: cleanup log rotation
  * porto: cleanup time management
  * container: split GetName() and GetTextId()
  * container: rename relative naming things
  * volume/overlay: handle opaque directories
  * volume/overlay: remove aufs metadata directories
  * util/path: add RemoveAll()
  * util/path: add IsDirectory() and IsRegular()

 -- Roman Gushchin <klamm@yandex-team.ru>  Tue, 03 Nov 2015 17:19:50 +0300

yandex-porto (2.5) precise; urgency=low

  * porto: rework container path limits (path <= 200, name <= 128)
  * network: add mode net="container <name>"
  * portoctl: rework command "build"
  * portoctl: rework command line option '-L'
  * portotop: show full container tree by default
  * porto: use vfork instead of fork (workaround for libc bug)

  * Move <csignal> header to cli.cpp
  * Hide ICmd::RunCmd implementation.
  * Fix formatting and add const modificator in cli.cpp.
  * Use final and override keywords in ICmd derived classes.
  * Extract a TCommandHander class and move commands state into it.
  * Generalize MaxFieldLength and remove temporary vector.
  * Use TCommandEnviroment to isolate command arguments.
  * Code cleanup.
  * Fix formatting issues in cli.{hpp,cpp}.
  * Add template helper for registering commands.
  * Check if protoc was found
  * Enable out-of-tree builds
  * travis: don't use container-based infrastructure
  * readme: add travis build status
  * Add move ctors and operators to TError class.
  * Fix compilation and some cases in handling TError class objects.
  * Fix formatting and add const to static objects in error.cpp file.
  * Hide TPortoAPIImpl from global namespace.
  * Small set of copy optimizations.
  * Minor API interface changes.
  * mkimg: replace fallocate with truncate
  * debian: add cmake into Build-Depends
  * selftest: add dirty_limit property
  * test: fix teamcity testing
  * Remove TStringVector typedef and fix naming.
  * scripts/test: remove root user alias
  * util: make RetryFailed/RetryBusy respectable functions
  * build: simplify travis build script
  * docs: update build process in README.md
  * scripts/test: install python-portopy
  * build: add libnl build dependecies
  * build: check out libnl automatically
  * build: install python API to lib/python2.7/dist-packages/porto
  * cli: fix getopt wrapper
  * rpm: cleanup build script
  * libnl: drop submodule, move libnl into src
  * task: add DumpDebugInfo() method
  * task: dump debug information for unkillable tasks
  * scripts/test: install portopy after update test
  * build: install python api using setuptools
  * scripts/test_update: fixes
  * selftest: add option "--except <test>..."
  * cli: reset optind to zero before restarting getopt
  * test/selftest: remove sync/replace with fdatasync
  * selftest: check container's net_bytes is less or equal than root counters
  * path: replace GetCwd with AbsolutePath
  * error: verify error description length
  * task: fix ReportStage ordering
  * error: add constructor with additional description prefix

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Fri, 16 Oct 2015 16:25:19 +0300

yandex-porto (2.4) precise; urgency=low

  * selftest: fix tests after supporting float cpu limit and guarantee
  * container: allow setting float cpu limit and guarantee
  * container: make GetChildrenSum() and ValidHierarchicalProperty() templates
  * value: introduce TDoubleValue
  * util: introduce StringToDouble()

  * porto: do not send second response from wait timeout

  * selftest: output __FILE__ instead of __func__ on error
  * selftest: don't use prlimit binary in tests
  * selftest: add memory.limit_in_bytes of root cgroup on modern kernels
  * unix: Popen() shouldn't report sucess if process quit with error
  * selftest: introduce kernel features infrastructure
  * selftest: fix ShouldHaveValidProperties() on non-yandex kernels

  * portoctl: print warning if pid is unknown at enter
  * portoctl: update help for portoctl enter
  * porto: add property "dirty_limit"
  * test/perf: double creation time
  * container: never ignore exit events
  * scripts/mkimg: start os container with virt_mode=os
  * porto: at restore sync all container cgroups for all tasks with freezer
  * porto: start portoinit for isolated application containers
  * porto: use TUnixSocket for communication with starting task
  * util/unix: TUnixSocket
  * porto: cleanup erorr handling in starting sequence
  * porto: convert TTaskEnv into mutable unique_ptr

  * test: fix race between delete veth0 and delete veth1
  * test: ignore init task in isolated container
  * test: fix races in waiting process exit

  * porto: add "--container $name" into portoinit commandline
  * porto: rename portod-meta-root into portoinit
  * porto: merge meta-root and waiter fd for fexecve
  * porto: use VPid only for triple-fork mode
  * container: refactor initialization of supplementary groups

  * C++ API: finish separation of C++ API
  * C++ API: move error.hpp/cpp and protobuf.hpp/cpp to C++ API
  * C++ API: remove dependency to cred.hpp from protobuf.hpp/cpp
  * C++ API: don't use rpc.hpp in libporto
  * C++ API: introduce TPortoAPIImpl
  * C++ API: cosmetic changes (add std::, etc)

  * docs: fix some grammar errors

  * portoctl: fix Ctrl-C in portoctl exec command
  * portotop: increase indent in container tree
  * property: human friendly message for cpu limit/guarantee out-of-range error

 -- Roman Gushchin <klamm@yandex-team.ru>  Thu, 24 Sep 2015 17:52:32 +0300

yandex-porto (2.3.2) precise; urgency=low

  * move sources into src
  * do not start porto service in porto-container
  * always get default allowed_devices from parent
  * inherit default root from parent
  * open default stdio from host mount namespace
  * fork mount namespace from parent namespace for loop root
  * rework hostname inheritance
  * refactor permission checks, respects supplementary groups
  * return error on starting already running sub-container
  * start meta init using fexecve
  * virtualize root_pid
  * fork isolated pid-ns from parent pid-ns

 -- Konstantin Khlebnikov <khlebnikov@yandex-team.ru>  Wed, 16 Sep 2015 13:00:00 +0300

yandex-porto (2.2) precise; urgency=low

  * net: don't touch already configured interfaces in OS virt mode
  * docs: merge docs from openporto branch

 -- Roman Gushchin <klamm@yandex-team.ru>  Mon, 31 Aug 2015 18:14:50 +0300

yandex-porto (2.1) precise; urgency=low

  * fix tc issues
  * new error codes in VolumeAPI
  * fix bash-completion
  * fix root/bind inheritance
  * deny custom root/root_readonly/bind when isolate is false
  * private property for volumes
  * support net=netns <name> network mode
  * cleanup and prepare for opensource

 -- Roman Gushchin <klamm@yandex-team.ru>  Wed, 26 Aug 2015 15:04:21 +0300

yandex-porto (2.0) precise; urgency=low

  * enable scoped unlock by default (threading)
  * don't print backtrace on SIGPIPE
  * portoctl: add build command to build image layer
  * support root_readonly=true for root=/
  * fix meta container start when portod binary is updated (without restart)
  * rework bind property (/<dir> binds to root <dir> binds to <root>/<cwd>)
  * don't update dynamic properties when private is set
  * add container journals

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 12 Aug 2015 17:52:00 +0300

yandex-porto (1.18) precise; urgency=low

  * add ceph rbd backend for volume
  * add portoctl build command to build volume layer from config
  * when virt_mode == os net defaults to none
  * default net is set to inherited (use parent network)
  * multithreading can be enabled via config option
  * fix wrong macvlan default type (vepa) and broadcast address
  * create temporary directory for default stdout/stderr when root is loop
  * fix hangup when child writes to log after fork (localtime_r)
  * don't fail if no suitable link found (just start without network support)
  * move modprobe cls_cgroup to upstart script
  * refuse to start portod in container
  * check cpu_limit hierarchical value
  * make sure partly constructed container dies when porto dies
  * remove trailing spaces from portoctl list -1
  * move killed frozen tasks into /porto when removing snapshot
  * don't remove container tc class if it's shared with parent
  * fix restart when client identify fails (wrong descriptor added to epoll)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 31 Jul 2015 17:55:00 +0300

yandex-porto (1.17) precise; urgency=low

  * fix portod crash when can't lock child container
  * python api: fix reading long replies (partial read)
  * fix invalid tc classes on links that are created after porto startup
  * portoctl: reset terminal on exec error
  * portoctl: fail with correct exit status when can't access socket
  * portotop: fixed crash when tab is pressed
  * rpc: non-blocking reads and writes with 30s timeout (fixes portod hangs)
  * wait for one minute for porto to destroy containers when sending SIGINT
  * mkimg: add support for ipv6 in container
  * validate number of messages in incoming rpc requests
  * request handling time in log now includes stream flush time
  * stability fixes in volume api

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 06 Jul 2015 14:36:00 +0300

yandex-porto (1.16) precise; urgency=low

  * convert docker2porto to new volume api
  * fix hang in initgroups

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 23 Jun 2015 20:33:00 +0300

yandex-porto (1.15) precise; urgency=low

  * rework volume api (docker2porto doesn't work anymore)
  * portoctl: fix signal handling
  * allow time data in meta state
  * support ipvlan in net property
  * fix missing property value for SetProperty response in log
  * support real numbers in cpu_limit/cpu_guarantee
  * don't add predefined environment if user defines it
  * multiple worker threads with single global lock in daemon
  * fix portod memory leaks

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 22 Jun 2015 18:43:00 +0300

yandex-porto (1.14) precise; urgency=low

  * support for wait operation in python API
  * fix for restoring stopped child in dead parent
  * fix portoctl signal handling
  * check parent container credentials when creating child
  * check whether container belongs to porto while restoring
  * fix wrong combined get error
  * convert some errors/warnings to notice
  * change socket permissions and check for porto group when client connects
  * add enable_porto property
  * fix max_rss - return hierarchical value
  * support timeout in wait operation
  * create tc filter for all protocols
  * fix stdout/stderr permissions (700 -> 660)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 08 Jun 2015 18:18:00 +0300

yandex-porto (1.13) precise; urgency=low

  * rework meta behavior (don't depend on isolate, don't change to stopped when all children exit)
  * new combined get RPC
  * new wait RPC
  * / container now contains statistics for all host processes
  * /porto container contains statistics for all porto containers
  * set small soft limit for meta containers without running children
  * enable dynamic network ifaces by default

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 27 May 2015 18:32:00 +0300

yandex-porto (1.12) precise; urgency=low

  * don't let user specify bind target that points to host root
  * print usage and total in error code on memory_guarantee overcommitment
  * support cores in cpu_limit/cpu_guarantee (for example 3c)
  * portotop: common statistics, auto adjusting fields, custom update interval
  * dot container
  * remove net_bps & net_pps (never worked)
  * fix task kill when isolate = false
  * fix broken log rotate
  * try to collapse log files instead of truncating
  * don't reap processes until slave ack
  * don't accept requests from unknown clients

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 22 May 2015 14:25:00 +0300

yandex-porto (1.11) precise; urgency=low

  * container namespaces
  * deprecate "root_pid" and "parent" data
  * bash completion for portoctl
  * fix race, which caused porto to display -1 exit_code of dead container
  * fix invalid state after OOM in parent container
  * portoctl: top fixes (sorting, ...)

 -- Roman Gushchin <klamm@yandex-team.ru>  Wed, 13 May 2015 17:30:01 +0300

yandex-porto (1.10) precise; urgency=low

  * hide non-supported properties/data
  * python API: read varint properly
  * portotop: repair container entering: bash and top

 -- Roman Gushchin <klamm@yandex-team.ru>  Thu, 30 Apr 2015 15:32:05 +0300

yandex-porto (1.9) precise; urgency=low

  * python API: revert 60525de7a811601ce2a6e18d180562dc7b4e8282
  * portoctl: fix differential values

 -- Roman Gushchin <klamm@yandex-team.ru>  Mon, 27 Apr 2015 21:20:51 +0300

yandex-porto (1.8) precise; urgency=low

  * portoctl: several "portoctl top" bugfixes (broken terminal, etc) and enhancements

 -- Roman Gushchin <klamm@yandex-team.ru>  Mon, 27 Apr 2015 16:55:50 +0300

yandex-porto (1.7) precise; urgency=low

  * Skip tasks with invalid freezer cgroup upon restore (fixes restoring wrong processes)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 22 Apr 2015 17:18:00 +0400

yandex-porto (1.6) precise; urgency=low

  * Don't print non-modifying requests/replies to the log
  * task: don't change restored cgroup if pid == portod pid (fixes hang)
  * portoctl: add find command to find container by pid
  * portoctl: complete top rewrite (old version is available as sort command)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 17 Apr 2015 19:15:00 +0400

yandex-porto (1.5) precise; urgency=low

  * Set memory+swap limit if available for memory_limit
  * Don't print error messages to log if network disabled for net_bytes, net_packets, net_drops, net_overlimits, net_bps, net_pss

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 16 Apr 2015 16:01:00 +0400

yandex-porto (1.4) precise; urgency=low

  * Fix wrong oom_killed for subcontainers with isolate=false
  * portoctl: humanify max_rss
  * debian: remove /etc/logrotate.d/yandex-porto

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 13 Apr 2015 21:09:00 +0400

yandex-porto (1.3) precise; urgency=low

  * New logrotate scheme (every hour, 400mb limit)
  * Add NoSpace error
  * Revise error messages (add more details)
  * Return error from Destroy

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 13 Apr 2015 21:09:00 +0400

yandex-porto (1.2) precise; urgency=low

  * Use cp -a to copy volume resource data (fixes wrong links)
  * Add container name to stdout/stderr default paths
  * Hide allowed_devices and capabilities properties
  * Remove cpu_priority property
  * Support numeric ids in user/group properties
  * Change cgroup stop timeout from 1s to 30s
  * Add aging_time property
  * Enable volumes support by default and automatically detect best backend (loop/overlayfs)
  * Increase cgconfig wait timeout to 1m
  * Rework docker2porto script which downloads docker image and converts it to porto (doesn't rely on docker binary anymore)
  * Add memory_usage to porto_stat
  * python: fix variant decoding
  * portod: print warning when message is longer than expected
  * portod: move daemon into cgroup and set 1g memory limit
  * portoctl: add gc command
  * portoctl: add find command
  * portoctl: don't show time for dead containers in list
  * portoctl: add -f option in list to print ascii art
  * portoctl: add -t option in list to show topmost containers

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 07 Apr 2015 16:41:00 +0400

yandex-porto (1.1) precise; urgency=low

  * Fix memory leak
  * Change freezer timeout to 30 seconds

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 30 Mar 2015 15:18:00 +0400

yandex-porto (1.0) precise; urgency=low

  * Refill link cache upon network even (fixes broken dynamic_ifaces)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 23 Mar 2015 18:07:00 +0400

yandex-porto (0.99) precise; urgency=low

  * Fix net_ceil name (net_limit)
  * Change error message when container can't be started due to resource limits
  * Add pid of client to rpc request/response

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 20 Mar 2015 14:07:00 +0400

yandex-porto (0.98) precise; urgency=low

  * Fix setting memory_guarantee to 0 (previous versions ignored it)
  * Support all resource limits with isolate=false
  * portod: handle events from master before client events

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 16 Mar 2015 20:41:00 +0400

yandex-porto (0.97) precise; urgency=low

  * Fix interrupted message error when message size is 1024
  * Fix io_limit on 3.18
  * Fix error when OOM kills portod-spawn-X
  * Add net_tos dummy
  * Return correct error when can't change memory_limit
  * portoctl: add -k option to dget/pget

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 12 Mar 2015 16:05:00 +0400

yandex-porto (0.96) precise; urgency=low

  * Dump stack on SIGSEGV and SIGPIPE
  * Change default max clients 128 -> 512
  * Add number of running containers to porto_stat
  * Don't die on SIGPIPE (regression)

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 04 Mar 2015 16:18:00 +0400

yandex-porto (0.95) precise; urgency=low

  * Don't fail on cpu.cfs_period_us/cpu.shares with default cpu_policy/cpu_guarantee

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 27 Feb 2015 17:10:00 +0400

yandex-porto (0.94) precise; urgency=low

  * Add checks for [] in non-map properties
  * Set default network guarantee to 1 byte/sec
  * Make sure all interfaces specified for net map
  * Add net_bps and net_pps statistics
  * Skip all links without queue
  * Add number of interrupted reads to statistics
  * portoctl: print more details about failed property in run
  * Deprecate cpu_priority, add cpu_limit and cpu_guarantee properties
  * Add io_policy and io_limit properties
  * Don't leak sockets with dynamic_ifaces and improve performance
  * Fix description for net property
  * Fix wrong unlimited spelling for ulimit property
  * Fix capabilities property on 3.18
  * Try to create tc class even if qdisk exists
  * Use pivot_root instead of chroot for filesystem isolation
  * Set correct cwd for child(isolate=false) with parent (isolate=true)
  * mkimg: use /dev/null as main container stdout_path and stderr_path

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 26 Feb 2015 17:32:00 +0400

yandex-porto (0.93) precise; urgency=low

  * Fix wrong error code when destroying container that doesn't exist
  * Fix wrong container state (running) when we didn't get exit event
  * portoctl: fix help for exec

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 17 Feb 2015 16:45:00 +0400

yandex-porto (0.92) precise; urgency=low

  * Don't show error when can't kill process that doesn't exist
  * Generate new id if the one we are recovering is already used
  * Fix resource reusage and volume recovery

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 13 Feb 2015 15:52:00 +0400

yandex-porto (0.91) precise; urgency=low

  * Fix sparse id map range
  * Fix check for already running instance

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 12 Feb 2015 19:05:00 +0400

yandex-porto (0.90) precise; urgency=low

  * Volume API (disabled by default)
  * Add more logging for process creation
  * Skip restricted_root checks for root user
  * Don't remove custom stdout/stderr
  * Stop dead children when stopping root
  * Run portod-meta-root in meta container with isolate=true
  * Remove restriction on memory_guarantee/recharge_on_pgfault with isolate=false
  * portoctl: fix 100% cpu load for exec
  * portoctl: make list time column longer
  * Count number of successful containers starts in porto_stat

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 12 Feb 2015 15:00:00 +0400

yandex-porto (0.34) precise; urgency=low

  * use_hierarchy=true by default (kernels should be already updated)
  * Print contents on interrupted message

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 09 Feb 2015 19:22:00 +0400

yandex-porto (0.33) precise; urgency=low

  * Fix loop devices removal

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 09 Feb 2015 18:18:00 +0400

yandex-porto (0.32) precise; urgency=low

  * Don't remove custom stdout/stderr

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 05 Feb 2015 14:41:00 +0400

yandex-porto (0.31) precise; urgency=low

  * Add SYS_RESOURCE to restricted_root

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 20 Jan 2015 20:57:00 +0400

yandex-porto (0.30) precise; urgency=low

  * Poppulate /run on tmpfs

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 20 Jan 2015 13:53:00 +0400

yandex-porto (0.29) precise; urgency=low

  * Add restricted_root support
  * portod: make evtfd O_NONBLOCK

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 19 Jan 2015 22:04:00 +0400

yandex-porto (0.28) precise; urgency=low

  * Add loop allocation debug printouts
  * Don't fail on error when restoring
  * Set ip address after interface is up
  * Change default /run/porto/kvs permission
  * Support G/M/K suffix for memory_limit/memory_guarantee
  * portoctl: don't create tty in exec when STDIN is not a tty
  * portoctl: fix exec environment parsing
  * portoctl: don't handle stdin POLLHUP in exec
  * mkimg: make sure we find only one network interface
  * mkimg: don't use colors when stdout is file
  * mkimg: remove ifconfig
  * mkimg: remove sudo
  * mkimg: fix link UP check
  * mkimg: support customization script
  * mkimg: use NAT for networking inside container
  * mkimg: use non-interactive debconf frontend

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 13 Jan 2015 16:50:00 +0400

yandex-porto (0.27) precise; urgency=low

  * Fix version

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 18 Dec 2014 21:03:00 +0400

yandex-porto (0.26) precise; urgency=low

  * Destroy child containers when parent is destroyed
  * Fix child mounts when isolate=false
  * Fix possible invalid state detection after recovery
  * Make root_readonly work even if root is not specified
  * Support dynamic network interfaces (off by default)
  * Support privileged users in config
  * Don't restrict /proc/sys for privileged containers
  * Fix bind for sockets/devices/etc
  * debian: start after yandex-network is configured
  * net: generate default mac based on hostname
  * net: add mtu support
  * net: veth support mac address
  * portoctl: fix wrong terminal size when doing exec
  * portoctl: humanify properties in top
  * portoctl: handle signals in portoctl exec
  * portoctl: print help to stderr

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Thu, 18 Dec 2014 20:39:00 +0400

yandex-porto (0.25) precise; urgency=low

  * upstart: fix possible race with cgroup-bin
  * Use either root or cwd as bind prefix but not both
  * Change freeze timeout to 2 sec
  * Make sure child is dead before respawning
  * Fix broken daemon when spawning with network error
  * Tune RLIMIT_NOFILE limit in portod
  * Add limit for total container number
  * Fix empty /etc/hostname
  * Create /dev/fd link to /proc/self/fd when root is isolated
  * portoctl: support multiple containers in create/get/pget/dget/start/stop/pause/resume/destroy
  * portoctl: support properties in top
  * portoctl: show dead containers in top
  * portoctl: show time since container death in list

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 08 Dec 2014 17:32:00 +0400

yandex-porto (0.24) precise; urgency=low

  * TEMPORARY: set use_hierarchy to 0 by default
  * Don't show root in portoctl list
  * Add network interface aliases
  * Make kill timeout configurable
  * Change date formate in log
  * Send SIGKILL in destroy

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 01 Dec 2014 21:28:00 +0400

yandex-porto (0.23) precise; urgency=low

  * Bring back functionality which removes old dead containers
  * Fix master leak (status queue always grows and never shrinks)
  * Convert daemon statistics to shared mmap and add more data
  * Add small ack queue to master to remove unneeded events
  * Don't kill container when network is switched off on update

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 26 Nov 2014 13:36:00 +0400

yandex-porto (0.22) precise; urgency=low

  * Add network defaults into config
  * Fix oom_killed data when non-root process is killed
  * Convert some errors to warnings
  * Rotate logs on SIGUSR1
  * Change default net_guarantee
  * Fix possible error when container changes state to stopped, not dead
  * portoctl: support index in properties\data
  * Fix std files path when root doesn't exist
  * Fix error message format when task can't start

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 24 Nov 2014 18:51:00 +0400

yandex-porto (0.21) precise; urgency=low

  * Fix version generation

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 18 Nov 2014 19:27:00 +0400

yandex-porto (0.20) precise; urgency=low

  * Allow . (dot) in container name
  * Support ext4 formatted file as rootfs (loop mounted)
  * Don't read stdout/stderr in case of device/pipe/socket
  * Add capabilities property
  * Always restrict /proc and /sys
  * Fix bind property to support binding into container /sys subdirectory
  * Add daemon version request to RPC
  * Fix network data persistence
  * Fix paused state recovery
  * Fix portod socket removal upon shutdown
  * Adjust portod OOM score
  * libporto: Don't retry RPC if socket doesn't exist

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 18 Nov 2014 18:46:00 +0400

yandex-porto (0.19) precise; urgency=low

  * Fix recovery

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Wed, 12 Nov 2014 19:23:00 +0400

yandex-porto (0.18) precise; urgency=low

  * fix release version

 -- Stas Ivanichkin <sivanichkin@yandex-team.ru>  Tue, 11 Nov 2014 23:13:06 +0300

yandex-porto (0.17ubuntu1) precise; urgency=low

  * added new packege yandex-search-group-porto
  * added new package yandex-search-porto

 -- Stas Ivanichkin <sivanichkin@yandex-team.ru>  Tue, 11 Nov 2014 22:18:56 +0300

yandex-porto (0.17) precise; urgency=low

  * Fix network sharing when network support is disabled

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Tue, 11 Nov 2014 14:30:00 +0400

yandex-porto (0.16) precise; urgency=low

  * Another attempt to fix package upgrade :-(

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 10 Nov 2014 23:13:00 +0400

yandex-porto (0.15) precise; urgency=low

  * Fix package upgrade spelling

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 10 Nov 2014 22:43:00 +0400

yandex-porto (0.14) precise; urgency=low

  * Fix package upgrade

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 10 Nov 2014 22:18:00 +0400

yandex-porto (0.13) precise; urgency=low

  * Fix invalid task cgroups upon recovery

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 10 Nov 2014 21:31:00 +0400

yandex-porto (0.12) precise; urgency=low

  * Phase 3 beta release new features:
   - Multiple networks support: network data and properties are now per-device
   - New privilege mode: only root can create and start containers with custom user/group
   - New allowed_devices property
   - New net property to isolate container network and create macvlans
   - New bind property to bind host directories into container
   - New max_respawns property to limit total number of container respawns
   - New python api with OOP
   - New root property to isolate container filesystem
   - New hostname property to change container hostname and isolate UTS
   - New bind_dns property which binds host /etc/hosts and /etc/resolv.conf into container
   - New readonly_root property
   - New io_read/io_write data with container per device IO statistics
   - Set PORTO_HOST environment variable which contains host name
   - Set PORTO_NAME environment variable which contains container name
   - New meta containers as a way to limit resources for children containers

  * Fixes:
   - Don't depend on system libnl version, build and use our own
   - Containers basedir is removed upon portod startup (when no containers restored)
   - Default number of clients changed to 128
   - Fix libporto crash on long protobuf messages
   - Start() error message is now returned via API (not via syslog)
   - Don't add container cwd to $PATH
   - Minor/major_faults now include children
   - Default net_guarantee is changed to 10Mbit
   - IPC is now isolated when isolate property is true
   - cpu_priority property is now dynamic
   - portoctl doesn't add extra newline for get
   - Fix libporto hang when client doesn't have permissions to connect to socket

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 10 Nov 2014 18:21:00 +0400

yandex-porto (0.11) precise; urgency=low

  * added new package python-portopy (python API for porto)

 -- Stas Ivanichkin <sivanichkin@yandex-team.ru>  Mon, 10 Nov 2014 14:17:07 +0300

yandex-porto (0.10) precise; urgency=low

  * Add ulimit property
  * Add portoctl exec command

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 13 Oct 2014 19:24:04 +0400

yandex-porto (0.9) precise; urgency=low

  * Fix recovery for containers with colon in name

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 10 Oct 2014 18:09:47 +0400

yandex-porto (0.8) precise; urgency=low

  * Fix sorting in portoctl top
  * Add missing log rotate for portoloop.log
  * Remove cmake from build requirements
  * Rework isolate=false for child containers (now share namespace with parent)
  * Add private property so users can attach application specific data to containers
  * Add stdout_limit property to limit number of bytes returned from stdout/stderr data
  * When client disconnects print it's pid, gid and uid in the log
  * Fix bug which prevents setting empty string to properties

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Fri, 10 Oct 2014 16:45:26 +0400

yandex-porto (0.7) precise; urgency=low

  * Fix permission 

 -- Eugene Kilimchuk <ekilimchuk@yandex-team.ru>  Wed, 08 Oct 2014 18:03:06 +0400

yandex-porto (0.6) stable; urgency=low

  * Merge portoexec to portoctl and fixed chown for portoctl. 

 -- Eugene Kilimchuk <ekilimchuk@yandex-team.ru>  Mon, 06 Oct 2014 21:21:50 +0400

yandex-porto (0.5) stable; urgency=low

  * Added portoexec. 

 -- Eugene Kilimchuk <ekilimchuk@yandex-team.ru>  Tue, 30 Sep 2014 14:14:57 +0400

yandex-porto (0.4) stable; urgency=low

  * Phase 2 beta release 2.

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 29 Sep 2014 21:45:00 +0400

yandex-porto (0.3) stable; urgency=low

  * Phase 2 beta release.

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 29 Sep 2014 17:32:00 +0400

yandex-porto (0.2) stable; urgency=low

  * Phase 1 release.

 -- Stanislav Fomichev <stfomichev@yandex-team.ru>  Mon, 01 Sep 2014 15:48:46 +0400

yandex-porto (0.1) stable; urgency=low

  * Initial release.

 -- Eugene Kilimchuk <ekilimchuk@yandex-team.ru>  Wed, 27 Aug 2014 20:55:00 +0400