Releases: angelorc/vmsan
v0.3.0
v0.2.1
v0.2.0
Minor Changes
-
#66
10841faThanks @angelorc! - Migrate firewall backend from iptables to nftables with atomic rule application.Breaking changes:
- ICMP blocked by default from VMs (prevents ICMP tunneling)
- UDP blocked by default except DNS (prevents UDP data exfiltration)
- nftables kernel support required on host (kernel ≥ 5.10)
- Reserved port ranges: 10053-10307, 10443-10697, 10080-10334 (for future DNS/SNI proxy)
- Host firewalls (ufw/firewalld) may need explicit allow rules for vmsan traffic
New features:
- Atomic nftables rule application via
google/nftablesnetlink library - Per-VM table isolation (
vmsan_<vmId>) — oneDelTable()for complete cleanup - DoT (TCP 853) and DoH blocking for DNS bypass prevention
- Cross-VM isolation blocking internal subnets
- Deterministic port allocation for future DNS/SNI proxy
- Per-namespace
ip_forwardsetting vmsan doctorchecks for nftables kernel support and host firewall detection- Backward compatibility:
VMSAN_LEGACY_IPTABLES=1env var for iptables fallback
v0.1.1
v0.1.0-beta.2
Minor Changes
- #56
07ac73bThanks @angelorc! - feat: addvmsan doctordiagnostic command and fix JSON output consistency
Patch Changes
-
#55
0899f7fThanks @angelorc! - docs: sync documentation with beta.1 CLI changes -
#54
d518f9aThanks @angelorc! - test: add e2e smoke test script and manual test matrix
Full Changelog: v0.1.0-beta.1...v0.1.0-beta.2
v0.1.0
Minor Changes
-
#56
07ac73bThanks @angelorc! - feat: addvmsan doctordiagnostic command and fix JSON output consistency -
#47
bfc12a7Thanks @angelorc! - Add KVM pre-flight check tovmsan createand cleanup verification aftervmsan stop/vmsan remove -
#46
913e721Thanks @angelorc! - Add state file versioning to VM state store for future migration support
Patch Changes
-
#48
c824d44Thanks @angelorc! - Audit and fix CLI help text for all commands -
#55
0899f7fThanks @angelorc! - docs: sync documentation with beta.1 CLI changes -
#59
14492aaThanks @angelorc! - docs: add known limitations and doctor command to README -
#54
d518f9aThanks @angelorc! - test: add e2e smoke test script and manual test matrix -
#60
d96e740Thanks @angelorc! - fix: use hoisted linker for docs to work around @nuxt/content context isolation bug -
#63
de8fb76Thanks @angelorc! - fix: include error code and fix/why fields at top level of JSON error output -
#44
725924cThanks @angelorc! - Fix install failure on systems without loop devices by replacingmount -o loopwithmkfs.ext4 -dfor rootfs creation, and auto-install Docker when not found instead of skipping runtime builds. -
#40
fe41441Thanks @angelorc! - Harden installer and VM networking reliability across mixed Linux hosts.- fix branch/commit installs and uninstalls in
install.sh, including safer cleanup of per-VM iptables rules - migrate the default VM subnet to
198.19.x.xwhile preserving compatibility with legacy persisted172.16.x.xstates - keep stopped VM slots reserved, tighten persisted IP parsing, and restore agent connectivity on hosts with restrictive local firewalls
- fix branch/commit installs and uninstalls in
-
#62
5092c9dThanks @angelorc! - Persist isolation flags (disableSeccomp, disablePidNs, disableCgroup) in VM state so they are honored on restart -
#36
b9a5d9cThanks @angelorc! - Improve runtime VM usability and the release lifecycle.- fix PATH handling for agent exec and PTY shells so Node/npm and user-global installs work reliably inside runtime VMs
- improve source installs in
install.shwith branch/commit bootstrap support and modern Go enforcement - switch the project to a real Changesets workflow with authored changesets, release PRs, and npm/agent publishing from reviewed version commits
-
#49
cab910aThanks @angelorc! - Add comprehensive unit test suite and reduce stale lock timeout from 5m to 30s
v0.1.0-beta.1
Minor Changes
-
#47
bfc12a7Thanks @angelorc! - Add KVM pre-flight check tovmsan createand cleanup verification aftervmsan stop/vmsan remove -
#46
913e721Thanks @angelorc! - Add state file versioning to VM state store for future migration support
Patch Changes
-
#48
c824d44Thanks @angelorc! - Audit and fix CLI help text for all commands -
#49
cab910aThanks @angelorc! - Add comprehensive unit test suite and reduce stale lock timeout from 5m to 30s
Full Changelog: v0.1.0-alpha.27...v0.1.0-beta.1
v0.1.0-alpha.27
Patch Changes
- #44
725924cThanks @angelorc! - Fix install failure on systems without loop devices by replacingmount -o loopwithmkfs.ext4 -dfor rootfs creation, and auto-install Docker when not found instead of skipping runtime builds.
Full Changelog: v0.1.0-alpha.26...v0.1.0-alpha.27
v0.1.0-alpha.26
Patch Changes
-
#40
fe41441Thanks @angelorc! - Harden installer and VM networking reliability across mixed Linux hosts.- fix branch/commit installs and uninstalls in
install.sh, including safer cleanup of per-VM iptables rules - migrate the default VM subnet to
198.19.x.xwhile preserving compatibility with legacy persisted172.16.x.xstates - keep stopped VM slots reserved, tighten persisted IP parsing, and restore agent connectivity on hosts with restrictive local firewalls
- fix branch/commit installs and uninstalls in
v0.1.0-alpha.25
Patch Changes
-
#36
b9a5d9cThanks @angelorc! - Improve runtime VM usability and the release lifecycle.- fix PATH handling for agent exec and PTY shells so Node/npm and user-global installs work reliably inside runtime VMs
- improve source installs in
install.shwith branch/commit bootstrap support and modern Go enforcement - switch the project to a real Changesets workflow with authored changesets, release PRs, and npm/agent publishing from reviewed version commits
What's Changed
- feat: pre-built runtime images and remove node22-demo by @angelorc in #36
- Version Packages (alpha) by @github-actions[bot] in #38
- fix: format changeset prerelease state by @angelorc in #39
Full Changelog: v0.1.0-alpha.24...v0.1.0-alpha.25
