At least two of the features in this release deserve special attention.
Changing The Root Filesystem
Security is our top priority, so let's look closer at the "rootfs"
The coolest thing about it is that it's not just a simple chroot() system
call as some may expect. It's not a secret that chroot() is not intended
for security purposes, and there's plenty of ways for an attacker to get out
of the chrooted directory (just check "man 2 chroot"). That's why on modern
systems Unit can use pivot_root() with the "mount" namespace isolation
enabled, which is way more secure and pretty similar to putting your
application in an individual container.
Also, our goal is to make any security option as easy to use as possible.
In this case, Unit automatically tries to mount all the necessary
language-specific dependencies inside a new root, so you won't need
to care about them. Currently, this capability works for selected languages
only, but the support will be extended in the next releases.
For more information and examples of "rootfs" usage, check the documentation:
The other major update in this release is called "targets", aiming to simplify
configuration for many PHP applications. Perhaps, it is best illustrated by an
example: WordPress. This is one of many applications that use two different
1. Most user requests are handled by index.php regardless of the actual
2. Administration interface and some components rely on direct requests
to specific .php scripts named in the URI.
Earlier, users had to configure two Unit applications to handle this disparity: