kinvolk/manifest v2983.2.0

on GitHub

New Stable release 2983.2.0

Update to CGroupsV2

CGroups V2 is coming to Stable! Introduced in Alpha 2969.0.0, the feature has been stabilising for almost three months now and will be included in Stable 2983.2.0.
NOTE that only new nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2. To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/

Changes since Beta 2983.1.2

Security fixes

• Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
• Go (CVE-2021-41771, CVE-2021-41772)

Bug fixes

• Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)

Updates

• Linux (5.10.77)
• Go (1.16.10)

Changes since Stable 2905.2.6

Security fixes

• Linux (CVE-2021-3609, CVE-2021-3653, CVE-2021-3655, CVE-2021-3656, CVE-2021-3760, CVE-2021-3772, CVE-2020-26541, CVE-2021-35039, CVE-2021-37576, CVE-2021-22543, CVE-2021-33909, CVE-2021-34556, CVE-2021-35477, CVE-2021-38166, CVE-2021-38205, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
• Go (CVE-2021-34558, CVE-2021-41771, CVE-2021-41772)
• c-ares (CVE-2021-3672)
• containerd (CVE-2021-32760)
• curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
• dnsmasq (CVE-2021-3448)
• expat (CVE-2013-0340)
• glibc (CVE-2020-29562, CVE-2019-25013, CVE-2020-27618, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942)
• libgcrypt (CVE-2021-33560)
• libpcre (CVE-2019-20838, CVE-2020-14155)
• libuv (CVE-2021-22918)
• mit-krb5 (CVE-2021-36222)
• NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
• systemd (CVE-2020-13529, CVE-2021-33910)
• tar (CVE-2021-20193)

Bug fixes

• Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
• Skip tcsd.service for TPM2 devices to fix failures on c3.small.x86 instances of Equinix Metal (Flatcar#208)
• Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
• Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
• Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)
• Add the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)

Changes

• Added Azure Generation 2 VM support (coreos-overlay#1198)
• cgroups v2 by default for new nodes (coreos-overlay#931).
• Upgrade Docker to 20.10 (coreos-overlay#931)
• Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
• Added lbzip2 binary to the image (coreos-overlay#1221)
• flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
• Added Intel E800 series network adapter driver (coreos-overlay#1237)
• Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
• Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)
• Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
• Switched the arm64 kernel to use a 4k page size instead of 64k
• Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
• Enabled ARM64 SDK bootstrap (flatcar-linux/scripts#134)
• SDK: enabled experimental ARM64 SDK usage (flatcar-linux/scripts#134) (flatcar-linux/scripts#141)
• AWS: Added amazon-ssm-agent (coreos-overlay#1162)
• Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
• update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
• Enable telnet support for curl (coreos-overlay#1099)
• Enable ssl USE flag for wget (coreos-overlay#932)
• Enable MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)

Updates

• Linux (5.10.77)
• Linux firmware (20210818)
• Go (1.16.10)
• c-ares (1.17.2)
• containerd (1.5.7)
• cryptsetup (2.3.6)
• curl (7.78)
• dbus (1.12.20)
• docker (20.10.10)
• docker CLI (20.10.10)
• docker proxy (0.8.0_p20210525)
• dracut (053)
• etcd (3.5.0)
• expat (2.4.1)
• gettext (0.21-r1)
• glibc (2.33-r5)
• gptfdisk (1.0.7)
• flannel (0.14.0)
• intel-microcode (20210608)
• libarchive (3.5.1)
• libev (4.33)
• libpcre (8.44)
• libuv (1.41.1)
• libverto (0.3.1)
• lz4 (1.9.3-r1)
• mit-krb5 (1.19.2)
• NVIDIA Drivers (470.57.02)
• pax-utils (1.3.1)
• portage-utils (0.90)
• readline (8.1_p1)
• runc (1.0.2)
• selinux (3.1)
• selinux-refpolicy (2.20200818)
• strace (5.12)
• systemd (247.9)
• tar (1.34)
• tini (0.19)
• wa-linux-agent (2.3.1.1)
• xz-utils (5.2.5)
• SDK: dnsmasq (2.85)
• SDK: rust (1.54)
• VMWare: open-vm-tools (11.3.0)