Update to CGroupsV2
Flatcar Container Linux migrates to the unified cgroup hierarchy (aka cgroups v2)! New nodes will utilize cgroups v2 by default. Existing nodes remain on cgroups v1 and need to be manually migrated to cgroups v2. To learn more about the cgroups v2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/
Security fixes
- Linux (CVE-2021-34556, CVE-2021-35477, CVE-2021-38205)
- dnsmasq (CVE-2021-3448)
- glibc (CVE-2021-35942)
- Go (CVE-2021-36221)
- libuv (CVE-2021-22918)
- mit-krb5 (CVE-2021-36222)
- NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
- systemd (CVE-2020-13529, CVE-2021-33910)
- tar (CVE-2021-20193)
Bug fixes
- Fixed
pam.dsssd LDAP auth with sudo (coreos-overlay#1170) - Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)
- Fixed SELinux policy for Flannel CNI (coreos-overlay#1181)
Changes
- cgroups v2 by default for new nodes (coreos-overlay#931).
- Upgrade Docker to 20.10 (coreos-overlay#931)
- update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
- Switched to zstd compression for the initramfs (coreos-overlay#1136)
- Embedded new subkey in flatcar-install (coreos-overlay#1180)
- Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
- AWS: Added amazon-ssm-agent (coreos-overlay#1162)
- SDK: enabled experimental ARM64 SDK usage (flatcar-scripts#134) (flatcar-scripts#141)
Updates
- Linux (5.10.59)
- containerd (1.5.5)
- docker (20.10.7)
- docker CLI (20.10.7)
- docker proxy (0.8.0_p20210525)
- glibc (2.33-r5)
- Go (1.16.7)
- libuv (1.41.1)
- mit-krb5 (1.19.2)
- NVIDIA Drivers (470.57.02)
- portage-utils (0.90)
- runc (1.0.1)
- systemd (247.9)
- tar (1.34)
- tini (0.19)
- SDK: dnsmasq (2.85)
- SDK: rust (1.54)
Note: Please note that ARM images remain experimental for now.