New Beta Release 3185.1.0
Changes since Beta 3139.1.1
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
- cifs-utils (CVE-2021-20208)
- containerd (CVE-2022-23648)
- cryptsetup (CVE-2021-4122)
- duktape (CVE-2021-46322)
- intel-microcode (CVE-2021-0127, CVE-2021-0146)
- libarchive (CVE-2021-31566, CVE-2021-36976)
- libxml2 (CVE-2022-23308)
- nvidia-drivers (CVE-2022-21814, CVE-2022-21813)
- shadow (CVE-2013-4235)
- systemd (CVE-2021-3997)
- vim (CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443)
- SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)
Bug fixes:
- AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
- Made Ignition write the SSH keys into a file under
authorized_keys.d/ignition
again and added a call toupdate-ssh-keys
after Ignition ran to create the mergedauthorized_keys
file, which fixes the problem that keys added by Ignition get lost whenupdate-ssh-keys
runs (init#66)
Changes:
- Added
auditd.service
but left it disabled by default, a custom configuration can be created by removing/etc/audit/auditd.conf
and replacing it with an own file (coreos-overlay#1636) - The systemd-networkd
ManageForeignRoutes
andManageForeignRoutingPolicyRules
settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under/etc/systemd/networkd.conf.d/
because drop-in files take precedence over/etc/systemd/networkd.conf
(init#61) - Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. (coreos-overlay#1664)
- Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
- Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the docs section for details
- Made SELinux enabled by default in default containerd configuration file. (coreos-overlay#1699)
- Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments (coreos-overlay#1700)
- Enabled
systemd-sysext.service
to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper serviceensure-sysext.service
which reloads the systemd units to reevaluate thesockets
,timers
, andmulti-user
targets whensystemd-sysext.service
is (re)started, making it possible to enable units that are part of a sysext image (coreos-overlay#65) - For amd64
/usr/lib
used to be a symlink to/usr/lib64
but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case/usr/lib64
was used to access, e.g., themodules
folder or thesystemd
folder (coreos-overlay#1713, scripts#255) - Enabled FIPS mode for cryptsetup (coreos-overlay#1747)
- Added
cryptsetup
to the initramfs for the Ignitionluks
directive (flatcar-linux/coreos-overlay#1760) - Enabled FIPS mode for cryptsetup (portage-stable#312)
- Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is
SYSEXT_LEVEL=1.0
andID=flatcar
(Flatcar#643) - Azure: Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
- DigitalOcean: In addition to the
bz2
image, agz
compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the
bz2
image, agz
compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are:
bz2
,gz
,zip
,none
,zst
. Selecting the image format can now be done by passing the--image_compression_formats
option. This flag gets a comma separated list of formats.
Updates:
- Linux (5.15.32) (from 5.15.30)
- Linux Firmware (20220310)
- Docker (20.10.13)
- bpftool (5.15.8)
- bridge-utils (1.7.1)
- ca-certificates (3.77)
- cifs-utils (6.13)
- containerd (1.6.1)
- cryptsetup (2.4.3)
- dosfstools (4.2)
- duktape (2.7.0)
- gcc (10.3.0)
- grep (3.7)
- ignition (2.13.0)
- intel-microcode (20220207_p20220207)
- iperf (3.10.1)
- kexec-tools (2.0.22)
- less (590)
- libarchive (3.5.3)
- libmspack (0.10.1_alpha)
- libxml2 (2.9.13)
- lsscsi (0.32)
- nfs-utils (2.5.4)
- nvidia-drivers (510.47.03)
- nvme-cli (1.16)
- pam (1.5.1_p20210622)
- pambase (20220214)
- pinentry (1.2.0)
- quota (4.06)
- rpcbind (1.2.6)
- shadow (4.11.1)
- socat (1.7.4.3)
- systemd (250.3)
- thin-provisioning-tools (0.9.0)
- timezone-data (2021a)
- vim (8.2.4328)
- whois (5.5.11)
- xfsprogs (5.14.2)
- Azure: WALinuxAgent (2.6.0.2)
- VMWare: open-vm-tools (12.0.0)
- SDK: gcc-config (2.5)
- SDK: iasl (20200717)
- SDK: man-db (2.9.4)
- SDK: man-pages (5.12-r2)
- SDK: netperf (2.7.0)
- SDK: Rust (1.59.0)
- SDK: squashfs-tools (4.5_p20210914)
Changes since Alpha 3185.0.0
Security fixes:
- Linux (CVE-2022-1015, CVE-2022-1016)
Bug fixes:
- Made Ignition write the SSH keys into a file under
authorized_keys.d/ignition
again and added a call toupdate-ssh-keys
after Ignition ran to create the mergedauthorized_keys
file, which fixes the problem that keys added by Ignition get lost whenupdate-ssh-keys
runs (init#66)
Changes:
- Enabled FIPS mode for cryptsetup (flatcar-linux/coreos-overlay#1747)
- Added
cryptsetup
to the initramfs for the Ignitionluks
directive (flatcar-linux/coreos-overlay#1760) - Enabled FIPS mode for cryptsetup (portage-stable#312)