New Stable Release 3227.2.0
Changes since Beta 3227.1.1
Security fixes:
- Linux (CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34918)
- Go (CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148)
Bug fixes:
- The Ignition v3 kargs directive failed before when used with the generic image where no
grub.cfg
exists, this was fixed by creating it first (bootengine#47)
Changes:
- Enabled
containerd.service
unit,br_netfilter
andoverlay
modules by default to follow Kubernetes requirements (coreos-overlay#1944, init#72)
Updates:
- Linux (5.15.55 (includes 5.15.54, 5.15.53, 5.15.52, 5.15.51, 5.15.50, 5.15.49))
- Go (1.17.12)
- ca-certificates (3.80)
Changes compared to Stable 3139.2.3
Security fixes:
- Linux (CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34918)
- Go (CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148)
- cifs-utils (CVE-2021-20208)
- containerd (CVE-2022-23648, CVE-2022-24769, CVE-2022-31030)
- cryptsetup (CVE-2021-4122)
- duktape (CVE-2021-46322)
- gnutls (CVE-2021-4209, GNUTLS-SA-2022-01-17)
- gzip,xz-utils (CVE-2022-1271)
- intel-microcode (CVE-2021-0127, CVE-2021-0146)
- libarchive (CVE-2021-31566, CVE-2021-36976, CVE-2022-26280)
- libxml2 (CVE-2022-23308)
- nvidia-drivers (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185)
- shadow (CVE-2013-4235)
- systemd (CVE-2021-3997)
- util-linux (CVE-2021-3995, CVE-2021-3996, CVE-2022-0563)
- vim (CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443)
- zlib (CVE-2018-25032)
- SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)
Bug fixes:
- Added
networkd
translation tofiles
section when converting from Ignition 2.x to Ignition 3.x (coreos-overlay#1910, flatcar#741) - Added a remount action as
systemd-sysext.service
drop-in unit to restore the OEM partition mount after the overlay mounts in/usr
are done (init#69) - Fixed Ignition's OEM ID to be
metal
to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM IDpxe
was used (bootengine#45) - Made Ignition write the SSH keys into a file under
authorized_keys.d/ignition
again and added a call toupdate-ssh-keys
after Ignition ran to create the mergedauthorized_keys
file, which fixes the problem that keys added by Ignition get lost whenupdate-ssh-keys
runs (init#66) - Skipped starting
ensure-sysext.service
ifsystemd-sysext.service
won't be started, to prevent reporting a dependency failure (Flatcar#710) - The Ignition v3 kargs directive failed before when used with the generic image where no
grub.cfg
exists, this was fixed by creating it first (bootengine#47)
Changes:
- Added
auditd.service
but left it disabled by default, a custom configuration can be created by removing/etc/audit/auditd.conf
and replacing it with an own file (coreos-overlay#1636) - Added
cryptsetup
to the initramfs for the Ignitionluks
directive (flatcar-linux/coreos-overlay#1760) - Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the docs section for details
- Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. coreos-overlay#1664
- Enabled
CONFIG_INTEL_RAPL
on AMD64 Kernel config to compileintel_rapl_common
module in order to allow power monitoring on modern Intel processors (coreos-overlay#1801) - Enabled
containerd.service
unit,br_netfilter
andoverlay
modules by default to follow Kubernetes requirements (coreos-overlay#1944, init#72) - Enabled
systemd-sysext.service
to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper serviceensure-sysext.service
which reloads the systemd units to reevaluate thesockets
,timers
, andmulti-user
targets whensystemd-sysext.service
is (re)started, making it possible to enable units that are part of a sysext image (init#65) - For amd64
/usr/lib
used to be a symlink to/usr/lib64
but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case/usr/lib64
was used to access, e.g., themodules
folder or thesystemd
folder (coreos-overlay#1713, scripts#255) - Made SELinux enabled by default in default containerd configuration file. (coreos-overlay#1699)
- Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments (coreos-overlay#1700)
- The systemd-networkd
ManageForeignRoutes
andManageForeignRoutingPolicyRules
settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under/etc/systemd/networkd.conf.d/
because drop-in files take precedence over/etc/systemd/networkd.conf
(init#61) - Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
- Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is
SYSEXT_LEVEL=1.0
andID=flatcar
(Flatcar#643) - ARM64: Added cifs-utils for ARM64
- ARM64: Added sssd, adcli and realmd for ARM64
- AWS EC2: Removed the setup of
/etc/hostname
from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP (Flatcar#707) - Azure: Set up
/etc/hostname
from instance metadata with Afterburn - DigitalOcean: In addition to the
bz2
image, agz
compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail. - OpenStack: In addition to the
bz2
image, agz
compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image. - SDK: The image compression format is now configurable. Supported formats are:
bz2
,gz
,zip
,none
,zst
. Selecting the image format can now be done by passing the--image_compression_formats
option. This flag gets a comma separated list of formats. - SDK / ARM64: Added go-tspi bindings for ARM64
Updates:
- Linux (5.15.55 (includes 5.15.54, 5.15.53, 5.15.52, 5.15.51, 5.15.50, 5.15.49, 5.15.48, 5.15.47, 5.15.46, 5.15.45, 5.15.44, 5.15.43, 5.15.42, 5.15.41, 5.15.40, 5.15.39, 5.15.38, 5.15.37, 5.15.36, 5.15.35))
- Linux Firmware (20220411 (includes 20220310, 20220209))
- Docker (20.10.14 (includes 20.10.13))
- Go (1.17.12)
- afterburn (5.2.0)
- bind-tools (9.16.27)
- bpftool (5.15.8)
- bridge-utils (1.7.1)
- ca-certificates (3.80 (includes 3.79, 3.78, 3.77, 3.76, 3.75))
- cifs-utils (6.13)
- conntrack-tools (1.4.6)
- containerd (1.6.6 (includes 1.6.5, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0))
- cryptsetup (2.4.3)
- dosfstools (4.2)
- duktape (2.7.0)
- e2fsprogs (1.46.4)
- elfutils (0.186)
- gcc (10.3.0)
- gnutls (3.7.3)
- grep (3.7)
- gzip (1.12 (includes 1.11))
- ignition (2.13.0)
- intel-microcode (20220207_p20220207)
- iperf (3.10.1)
- jansson (2.14)
- kexec-tools (2.0.22)
- less (590)
- libarchive (3.6.1 (includes 3.5.3))
- libbsd (0.11.3)
- libmspack (0.10.1_alpha)
- libnetfilter_queue (1.0.5)
- libpcap (1.10.1)
- libtasn1 (4.17.0)
- liburing (2.1)
- libxml2 (2.9.13)
- lsscsi (0.32)
- mdadm (4.2)
- multipath-tools (0.8.7)
- nfs-utils (2.5.4)
- nghttp2 (1.45.1)
- nvidia-drivers (510.73.05)
- nvme-cli (1.16)
- oniguruma (6.9.7.1)
- open-isns (0.101)
- pam (1.5.1_p20210622)
- pambase (20220214)
- pcre2 (10.39)
- pinentry (1.2.0)
- quota (4.06)
- rpcbind (1.2.6)
- runc (1.1.1)
- socat (1.7.4.3)
- shadow (4.11.1)
- systemd (250.3)
- timezone-data (2021a)
- tcpdump (4.99.1)
- thin-provisioning-tools (0.9.0)
- unzip (6.0_p26)
- util-linux (2.37.4)
- vim (8.2.4328)
- whois (5.5.11)
- xfsprogs (5.14.2)
- zlib (1.2.12)
- SDK: gcc-config (2.5)
- SDK: iasl (20200717)
- SDK: man-db (2.9.4)
- SDK: man-pages (5.12-r2)
- SDK: netperf (2.7.0)
- SDK: Rust (1.60.0 (includes 1.59.0))
- SDK: squashfs-tools (4.5_p20210914)
- VMware: open-vm-tools (12.0.0)