kinvolk/manifest v3185.1.0

on GitHub

New Beta Release 3185.1.0

Changes since Beta 3139.1.1

Security fixes:

• Linux (CVE-2022-1015, CVE-2022-1016)
• cifs-utils (CVE-2021-20208)
• containerd (CVE-2022-23648)
• cryptsetup (CVE-2021-4122)
• duktape (CVE-2021-46322)
• intel-microcode (CVE-2021-0127, CVE-2021-0146)
• libarchive (CVE-2021-31566, CVE-2021-36976)
• libxml2 (CVE-2022-23308)
• nvidia-drivers (CVE-2022-21814, CVE-2022-21813)
• shadow (CVE-2013-4235)
• systemd (CVE-2021-3997)
• vim (CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443)
• SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)

Bug fixes:

• AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
• Made Ignition write the SSH keys into a file under authorized_keys.d/ignition again and added a call to update-ssh-keys after Ignition ran to create the merged authorized_keys file, which fixes the problem that keys added by Ignition get lost when update-ssh-keys runs (init#66)

Changes:

• Added auditd.service but left it disabled by default, a custom configuration can be created by removing /etc/audit/auditd.conf and replacing it with an own file (coreos-overlay#1636)
• The systemd-networkd ManageForeignRoutes and ManageForeignRoutingPolicyRules settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under /etc/systemd/networkd.conf.d/ because drop-in files take precedence over /etc/systemd/networkd.conf (init#61)
• Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. (coreos-overlay#1664)
• Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
• Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the docs section for details
• Made SELinux enabled by default in default containerd configuration file. (coreos-overlay#1699)
• Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments (coreos-overlay#1700)
• Enabled systemd-sysext.service to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service ensure-sysext.service which reloads the systemd units to reevaluate the sockets, timers, and multi-user targets when systemd-sysext.service is (re)started, making it possible to enable units that are part of a sysext image (coreos-overlay#65)
• For amd64 /usr/lib used to be a symlink to /usr/lib64 but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case /usr/lib64 was used to access, e.g., the modules folder or the systemd folder (coreos-overlay#1713, scripts#255)
• Enabled FIPS mode for cryptsetup (coreos-overlay#1747)
• Added cryptsetup to the initramfs for the Ignition luks directive (flatcar-linux/coreos-overlay#1760)
• Enabled FIPS mode for cryptsetup (portage-stable#312)
• Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is SYSEXT_LEVEL=1.0 and ID=flatcar (Flatcar#643)
• Azure: Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
• DigitalOcean: In addition to the bz2 image, a gz compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail.
• OpenStack: In addition to the bz2 image, a gz compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image.
• SDK: The image compression format is now configurable. Supported formats are: bz2, gz, zip, none, zst. Selecting the image format can now be done by passing the --image_compression_formats option. This flag gets a comma separated list of formats.

Updates:

• Linux (5.15.32) (from 5.15.30)
• Linux Firmware (20220310)
• Docker (20.10.13)
• bpftool (5.15.8)
• bridge-utils (1.7.1)
• ca-certificates (3.77)
• cifs-utils (6.13)
• containerd (1.6.1)
• cryptsetup (2.4.3)
• dosfstools (4.2)
• duktape (2.7.0)
• gcc (10.3.0)
• grep (3.7)
• ignition (2.13.0)
• intel-microcode (20220207_p20220207)
• iperf (3.10.1)
• kexec-tools (2.0.22)
• less (590)
• libarchive (3.5.3)
• libmspack (0.10.1_alpha)
• libxml2 (2.9.13)
• lsscsi (0.32)
• nfs-utils (2.5.4)
• nvidia-drivers (510.47.03)
• nvme-cli (1.16)
• pam (1.5.1_p20210622)
• pambase (20220214)
• pinentry (1.2.0)
• quota (4.06)
• rpcbind (1.2.6)
• shadow (4.11.1)
• socat (1.7.4.3)
• systemd (250.3)
• thin-provisioning-tools (0.9.0)
• timezone-data (2021a)
• vim (8.2.4328)
• whois (5.5.11)
• xfsprogs (5.14.2)
• Azure: WALinuxAgent (2.6.0.2)
• VMWare: open-vm-tools (12.0.0)
• SDK: gcc-config (2.5)
• SDK: iasl (20200717)
• SDK: man-db (2.9.4)
• SDK: man-pages (5.12-r2)
• SDK: netperf (2.7.0)
• SDK: Rust (1.59.0)
• SDK: squashfs-tools (4.5_p20210914)

Changes since Alpha 3185.0.0

Security fixes:

• Linux (CVE-2022-1015, CVE-2022-1016)

Bug fixes:

• Made Ignition write the SSH keys into a file under authorized_keys.d/ignition again and added a call to update-ssh-keys after Ignition ran to create the merged authorized_keys file, which fixes the problem that keys added by Ignition get lost when update-ssh-keys runs (init#66)

Changes:

• Enabled FIPS mode for cryptsetup (flatcar-linux/coreos-overlay#1747)
• Added cryptsetup to the initramfs for the Ignition luks directive (flatcar-linux/coreos-overlay#1760)
• Enabled FIPS mode for cryptsetup (portage-stable#312)

Updates:

• Linux (5.15.32) (from 5.15.30)
• ca-certificates (3.77)