Skip to main content
Version: 1.7.x

v1.7.0

Release Date

April 23, 2026

Highlights

This release introduces Datasets SDK & CLI for managing benchmark datasets on OSS, container rootfs disk limits via Docker storage-opt, and a revamped Docker auth scheme using per-sandbox temporary directories. WebSocket proxy header forwarding has been switched from whitelist to blacklist to support custom headers, and sandbox containers now receive full IANA timezone support via host zoneinfo bind-mounts. The admin service gains MetaStore & database operation metrics for observability.

Datasets

New Feature

Datasets SDK & CLI

  • NEW: Added rock datasets CLI with three subcommands: list (browse datasets by org/name/split), tasks (enumerate task IDs within a split with --offset/--limit pagination), and upload (bulk-upload local task directories to OSS with configurable concurrency and --overwrite flag) (#859, #875)

  • NEW: OssDatasetRegistry backend using oss2 SDK to navigate the datasets/{org}/{dataset}/{split}/{task_id}/ key structure, supporting both directory-style and flat file-style tasks. OSS credentials can be passed as CLI flags or stored in the [dataset] section of config.ini (#859)

  • Task listing now recognizes both directory tasks (from prefix_list) and file tasks (from object_list), with automatic suffix stripping and deduplication (#875)

Sandbox

New Features

Container Disk Limits

  • Supports limiting sandbox rootfs size via Docker --storage-opt size=<value>. Requires overlay2 storage driver + XFS filesystem + prjquota mount option. Also supports setting XFS project quotas on sandbox log directories via xfs_quota, requiring XFS filesystem + prjquota mount option. (#860)

  • Server-side RuntimeConfig gains disk_limit_rootfs and disk_limit_log fields (both default to None), configurable per environment in rock-{env}.yml with Nacos runtime overrides (#860)

Sandbox Timezone Support

  • NEW: Containers now receive full IANA timezone support — ROCK mounts the host's zoneinfo file (e.g. /usr/share/zoneinfo/Asia/Shanghai) read-only to /etc/localtime. Automatically skips with a warning if the host lacks the corresponding zoneinfo file (#883)

Admin

MetaStore & Database Operation Metrics

  • NEW: Added OpenTelemetry metrics instrumentation for SandboxMetaStore and SandboxTable CRUD operations. Each operation (create, get, update, delete, list, batch_get, archive, etc.) is now automatically tracked with total/success/failure counters and response time gauges (#887)

Deployments

Docker Auth Refactor

  • Replaced the legacy Docker auth scheme with a temporary-directory approach. A TempAuthDockerClient context manager creates an isolated temp directory per sandbox, runs docker --config <tmpdir> login, performs image pulls, and cleans up on exit — preventing registry credentials from persisting in the global Docker config (#837)

  • The base directory for temp auth dirs is configurable via ROCK_DOCKER_TEMP_AUTH_DIR env var, defaulting to the system temp directory (#837)

Proxy

WebSocket Header Forwarding

  • The /sandboxes/{id}/proxy/{path:path} endpoint supports header forwarding — all client headers are forwarded to upstream services by default, filtering only WebSocket handshake headers (sec-websocket-*), hop-by-hop headers (connection, upgrade, transfer-encoding, content-length), and host. The origin header receives special handling — extracted separately and passed as the WebSocket origin parameter. The VNC WebSocket route disables this feature to avoid exceeding QEMU's 4 KB header buffer limit (#865)

Bug Fixes

  • Fix auto_clear_time calculation: fractional minutes from auto_clear_seconds / 60 are now rounded up via math.ceil() to at least 1 minute; also caps wait_interval in the process-alive polling loop to be less than auto_clear_seconds, preventing the sandbox from auto-clearing before the first liveness check (#883)

  • Fix UV environment setup: project tree is now copied to a writable /tmp/rock-build directory before uv pip install, resolving failures caused by read-only source mounts in containers (#857)

Testing & CI

  • Added unit tests for DockerUtil helpers (detect_storage_opt_support, is_xfs_path, get_docker_root_dir) and DockerDeployment disk limit integration (#860)

  • Added integration tests for Docker temporary-directory auth scheme (#837)

  • Added comprehensive unit tests for Datasets CLI, client, models, and OSS registry (#859, #875)

  • Database connection unit tests and parameter optimizations (#852)

  • Clean up leaked timers in TS SDK model client tests (#839)

Migration Notes

  • Docker auth: The legacy Docker auth scheme has been removed. If you relied on persistent credentials in ~/.docker/config.json written by ROCK, note that ROCK now uses ephemeral temp directories. Set ROCK_DOCKER_TEMP_AUTH_DIR to customize the temp directory location.

  • WebSocket proxy headers: If your downstream services relied on a specific set of forwarded headers, be aware that all non-blocked headers are now forwarded. The blocked set includes host, connection, upgrade, sec-websocket-*, transfer-encoding, and content-length.

  • Disk limits: Disk quotas are server-side policy — disk_limit is not exposed in SandboxStartRequest. Configure via RuntimeConfig.disk_limit_rootfs / disk_limit_log in your environment YAML or Nacos overrides.