Skip to content

0.9.30 — flip rootless_per_user default to true#188

Merged
click0 merged 1 commit into
mainfrom
claude/release-0.9.30
May 10, 2026
Merged

0.9.30 — flip rootless_per_user default to true#188
click0 merged 1 commit into
mainfrom
claude/release-0.9.30

Conversation

@click0
Copy link
Copy Markdown
Owner

@click0 click0 commented May 10, 2026

Summary

  • Flips Crated::Config::rootlessPerUser default from false to true (in daemon/config.h)
  • Rewrites daemon/crated.conf.sample rootless block to advertise the new default and document the opt-out path
  • Brings docs/rootless-migration.md up to date: status promoted to "on by default", release-by-release log filled in for 0.9.13–0.9.30, single-tenant migration split into "accept the flip" / "pin to legacy" / "rolling back" subsections
  • Bumps cli/args.cpp version string to crate 0.9.30
  • Adds CHANGELOG entry covering the upgrade matrix and what stays wire-stable

Behaviour for upgraders

Pre-0.9.30 crated.conf state 0.9.30 effective value Action needed
rootless_per_user: true (explicit) true None
rootless_per_user: false (explicit) false None
key absent (most 0.8.x → 0.9.x upgrades) true (was false) Recycle jails OR pin to false

The third row is the breaking case. Operators who don't want the per-user split must add rootless_per_user: false before restarting crated.

Wire compatibility

No wire changes. All 21 privops verbs from 0.9.0–0.9.28 unchanged. Bearer token / JSON / libnv schemas unchanged. The flip is purely a config-default change in the daemon.

Series state

Track complete except for setuid removal:

  • 0.9.0–0.9.7: privops verb taxonomy (14 verbs, JSON)
  • 0.9.8–0.9.13: per-user namespacing pure modules + audit
  • 0.9.14: libnv listener (FreeBSD-native, getpeereid)
  • 0.9.15–0.9.29: 14 CLI call sites wired through privops; verb set grew to 21
  • 0.9.30: default flip (this PR)
  • 1.0.0: setuid bit removed from Makefile install

Test plan

  • FreeBSD CI green (suite stays at 1303)
  • Linux CI green
  • Manual: crate --version prints crate 0.9.30
  • Manual: fresh crated startup with no rootless_per_user: in conf → per-user mode active
  • Manual: explicit rootless_per_user: false → legacy single-tenant shape preserved

Generated by Claude Code

@claude
0.9.30 — flip rootless_per_user default to true
4aeeb8c 
Last config-only release of the 0.9.x rootless track. The
master toggle in daemon/config.h now defaults to true, so
new installs (and old installs whose crated.conf doesn't set
the field) compose paths, ZFS prefix, network sub-CIDR, and
RCTL umbrella from the connecting operator's uid.

Sample config rewritten to show the new default; migration
doc gained a "Rolling back" section covering the opt-out
procedure (rootless_per_user: false + restart + jail recycle).

Wire-format unchanged. Suite stays at 1303. Remaining for
1.0.0: setuid bit removed from Makefile install target.
@click0 click0 merged commit 3fdf5f9 into main May 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@click0 @claude