kinvolk/manifest v3115.0.0

on GitHub

New Alpha release 3115.0.0

Changes since Alpha 3066.0.0

Known issues

• calico is crashing with Kubernetes 1.23 and Linux 5.15 - it's recommended to switch over iptables instead of ipvs for kube-proxy mode. (projectcalico/calico#5011)
• The SELinux policy store update fix resulted in some files leaked to the root filesystem top directory (Flatcar#596)

Security fixes

• Linux (CVE-2020-27820, CVE-2021-4001, CVE-2021-4002, CVE-2021-4083, CVE-2021-4135, CVE-2021-4155, CVE-2021-28711, CVE-2021-28712, CVE-2021-28713, CVE-2021-28714, CVE-2021-28715)
• GCC (CVE-2020-13844)
• Go (CVE-2021-44716, CVE-2021-44717)
• ca-certificates (CVE-2021-43527)
• containerd (CVE-2021-43816)
• ignition (CVE-2020-14040)
• libarchive (libarchive-1565, libarchive-1566)
• openssh (CVE-2021-41617)
• runc (CVE-2021-43784)
• torcx (CVE-2021-38561, CVE-2021-43565)
• vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974)
• SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
• SDK: libxslt (CVE-2021-30560)
• SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
• SDK: Python (CVE-2018-20852, CVE-2019-5010, CVE-2019-9636, CVE-2019-9740, CVE-2019-9947, CVE-2019-9948, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422, CVE-2020-26116, CVE-2021-3177, CVE-2021-3426, CVE-2021-23336, CVE-2021-29921)
• SDK: QEMU (CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682)

Bug fixes

• Added configuration files for logrotate (flatcar-linux/coreos-overlay#1442)
• Fixed ETCD_NAME conflicting with --name for etcd-member to start (flatcar-linux/coreos-overlay#1444)
• The Torcx profile docker-1.12-no got fixed to reference the current Docker version instead of 19.03 which wasn't found on the image, causing Torcx to fail to provide Docker (flatcar-linux/coreos-overlay#1456)
• Fix vim warnings on missing file, when built with USE=”minimal” (portage-stable#260)
• Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check (flatcar-linux/init#55)
• Ensured that the /run/xtables.lock coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the iptables-legacy binaries on the host (flatcar-linux/init#57)
• AWS: Published missing arm64 AMIs for stable & beta (flatcar-linux/scripts#188, flatcar-linux/scripts#189)
• dev container: Fixed github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. (flatcar-linux/scripts#194)
• SDK: Fixed build error popping up in the new SDK Container because policycoreutils used the wrong ROOT to update the SELinux store (flatcar-linux/coreos-overlay#1502)

Changes

• Flatcar is in the NIST CPE dictionary. Programmatically build the CPE_NAME in the build process in order to be scanned (flatcar-linux/Flatcar#536)
• Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (flatcar-linux/init#53)
• Update-engine now creates the /run/reboot-required flag file for kured (flatcar-linux/update_engine#15)
• Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (flatcar-linux/init#56)
• Backported elf support for iproute2 (flatcar-linux/coreos-overlay#1256)
• Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config (flatcar-linux/coreos-overlay#1524)

Updates

• Linux (5.15.13)
• Linux Firmware (20211216)
• Linux Kernel headers (5.15)
• Docker (20.10.12)
• GCC (9.4.0)
• Go (1.17.6)
• acl (2.3.1)
• attr (2.5.1)
• audit (3.0.6)
• boost (1.76.0)
• btrfs-progs (5.15.1)
• ca-certificates (3.74)
• containerd (1.5.9)
• coreutils (8.32)
• diffutils (3.8)
• ethtool (5.10)
• findutils (4.8.0)
• glib (2.68.4)
• glog (0.4.0)
• i2c-tools (4.2)
• iproute2 (5.15)
• ipset (7.11)
• ipvsadm (1.27)
• kmod (29)
• libarchive (3.5.2)
• libcap (2.49)
• libcap-ng (0.8.2)
• libmicrohttpd (0.9.73)
• libnl (3.5.0)
• libseccomp (2.5.1)
• lshw (02.19.2b_p20210121)
• lsof (4.94.0)
• openssh (8.8)
• pax-utils (1.3.3)
• psmisc (23.4)
• runc (1.0.3)
• systemd (249.7)
• tdb (1.4.5)
• usbutils (014)
• vim (8.2.3582)
• which (2.21)
• Azure: Python for OEM images (3.9.8)
• SDK: Python (3.9.8)
• SDK: Rust (1.57.0)
• SDK: edk2-ovmf (202105)
• SDK: file (5.40)
• SDK: ipxe (1.21.1)
• SDK: mantle (0.17.0)
• SDK: ninja (1.10.2)
• SDK: pahole (1.20)
• SDK: perf (5.15)
• SDK: portage (3.0.28)
• SDK: qemu (6.1.0)
• SDK: seabios (1.14.0)