Releases

New Beta release 2983.1.0

Changes since Beta 2942.1.2

Update to CGroupsV2

As of Alpha version 2969.0.0, Flatcar Container Linux migrates to the unified cgroup hierarchy (aka CGroupsV2)! New nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2. To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/

Security fixes

• dnsmasq (CVE-2021-3448)
• glibc (CVE-2021-35942)
• Go (CVE-2021-36221)
• libuv (CVE-2021-22918)
• mit-krb5 (CVE-2021-36222)
• tar (CVE-2021-20193)
• expat (CVE-2013-0340)
• Linux (CVE-2021-3753, CVE-2021-3739)

Bug Fixes

• Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
• Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
• Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)
• Disabled SELinux by default on dockerd wrapper script (coreos-overlay#1149)
• Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)

Changes

• Added Azure Generation 2 VM support (coreos-overlay#1198)
• cgroups v2 by default for new nodes (coreos-overlay#931).
• Upgrade Docker to 20.10 (coreos-overlay#931)
• Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
• Added lbzip2 binary to the image (coreos-overlay#1221)
• flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
• Added Intel E800 series network adapter driver (coreos-overlay#1237)
• Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
• Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)
• Switched to zstd compression for the initramfs (coreos-overlay#1136)
• Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
• Switched the arm64 kernel to use a 4k page size instead of 64k
• Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
• Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
• Enabled zstd compression for the initramfs and for amd64 also for the kernel because we hit the vmlinuz size limit on the /boot partition
• Deleted the unused kernel+initramfs vmlinuz file from the /usr partition
• devcontainer: added support to run on arm64 by switching to an architecture-agnostic partition UUID
• Enabled ARM64 SDK bootstrap (scripts#134)
• SDK: enabled experimental ARM64 SDK usage (flatcar-scripts#134) (flatcar-scripts#141)
• AWS: Added amazon-ssm-agent (coreos-overlay#1162)
• Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
• update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)

Updates

• Linux (5.10.63)
• Linux firmware (20210818)
• c-ares (1.17.2)
• docker (20.10.8)
• docker CLI (20.10.8)
• docker proxy (0.8.0_p20210525)
• Go (1.16.7)
• glibc (2.33-r5)
• etcd (3.5.0)
• flannel (0.14.0)
• runc (1.0.2)
• strace (5.12)
• wa-linux-agent (2.3.1.1)
• cryptsetup (2.3.6)
• expat (2.4.1)
• portage-utils (0.90)
• libarchive (3.5.1)
• xz-utils (5.2.5)
• tar (1.34)
• libuv (1.41.1)
• tini (0.19)
• mit-krb5 (1.19.2)
• SDK: dnsmasq (2.85)
• SDK: rust (1.54)

Changes since Alpha 2983.0.0

Security fixes

• Linux(CVE-2021-3753, CVE-2021-3739)

Updates

• Linux (5.10.63)

New Beta release 2942.1.2

Changes since Beta 2942.1.1

Security fixes

• Linux (CVE-2021-3653, CVE-2021-3656, CVE-2021-38166)
• openssl (CVE-2021-3711, CVE-2021-3712)

Bug Fixes

• Re-enabled kernel config FS_ENCRYPTION (coreos-overlay#1212)
• Fixed Perl in dev-container (coreos-overlay#1238)

Updates

• Linux (5.10.61)
• openssl (1.1.1l)

Changes since Beta 2942.1.0

Security fixes

• Linux (CVE-2021-34556, CVE-2021-35477, CVE-2021-38205)
• NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
• Go (CVE-2021-36221)
• Systemd (CVE-2020-13529, CVE-2021-33910)

Bug Fixes

• Fixed pam.d sssd LDAP auth with sudo (coreos-overlay#1170)
• Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)
• Fixed SELinux policy for Flannel CNI (coreos-overlay#1181)

Changes

• Switched to zstd for the initramfs (coreos-overlay#1136)
• Embedded new subkey in flatcar-install (coreos-overlay#1180)

Updates

• Linux (5.10.59)
• NVIDIA Drivers (470.57.02)
• Systemd (247.9)
• Go (1.16.7)
• portage-utils (0.90)

Changes since Beta 2920.1.0

Security Fixes

• Linux (CVE-2021-37576)
• containerd (CVE-2021-32760)
• glibc (CVE-2020-29562, CVE-2019-25013, CVE-2020-27618, CVE-2021-27645, CVE-2021-33574)
• Go (CVE-2021-34558)
• libgcrypt (CVE-2021-33560)
• libpcre (CVE-2019-20838, CVE-2020-14155)

Bug Fixes

• Added the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)
• Disabled SELinux by default on dockerd wrapper script (coreos-overlay#1149)
• Set the cilium_vxlan interface to be not managed by networkd’s default setup with DHCP as it’s managed by Cilium. (init#43)
• update_engine_client: Improve feedback when an update is not needed(update_engine#10)
• GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)

Changes

• Enabled telnet support for curl (coreos-overlay#1099)
• Enabled ssl USE flag for wget (coreos-overlay#932)
• Enabled MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)

Updates

• Linux (5.10.55)
• containerd (1.5.4)
• dbus (1.12.20)
• dracut (053)
• glibc (2.33)
• go (1.16.6)
• libev (4.33)
• libgcrypt (1.9.3)
• libpcre (8.44)
• libverto (0.3.1)
• pax-utils (1.3.1)
• readline (8.1_p1)
• rust (1.53.0)
• selinux (3.1)
• selinux-refpolicy (2.20200818)
• systemd (247.7)
• VMWare: open-vm-tools (11.3.0)

Changes since Alpha 2942.0.0

Security fixes

• Linux (CVE-2021-37576)

Bug fixes

• Set the cilium_vxlan interface to be not managed by networkd’s default setup with DHCP as it’s managed by Cilium. (init#43)
• Disabled SELinux by default on dockerd wrapper script (coreos-overlay#1149)
• GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)

Updates

• Linux (5.10.55)

Changes since Alpha 2823.0.0:

Security fixes

• Linux (CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28951, CVE-2021-28952, CVE-2021-29266, CVE-2021-28688, CVE-2021-29264, CVE-2021-29649, CVE-2021-29650, CVE-2021-29646, CVE-2021-29647, CVE-2021-29154, CVE-2021-29155, CVE-2021-23133)

Bug fixes

• Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)

Updates

• Linux (5.10.32)
• systemd (247.6)

Changes since Beta 2801.1.0:

Security fixes

• Linux (CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28951, CVE-2021-28952, CVE-2021-29266, CVE-2021-28688, CVE-2021-29264, CVE-2021-29649, CVE-2021-29650, CVE-2021-29646, CVE-2021-29647, CVE-2021-29154, CVE-2021-29155, CVE-2021-23133)
• Go (CVE-2021-27918, CVE-2021-27919)
• glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
• boost (CVE-2012-2677)
• ncurses (CVE-2019-17594, CVE-2019-17595)
• zstd (CVE-2021-24032)

Bug Fixes

• Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)

Changes

• The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
• The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)

Updates

• Linux (5.10.32)
• Linux firmware (20210315)
• systemd (247.6)
• Go (1.15.10)
• boost (1.75.0)
• glib (2.66.8)
• ncurses (6.2)
• zstd (1.4.9)

Security fixes

• Linux (CVE-2021-3347, CVE-2021-3348, CVE-2021-26708, CVE-2021-20194)
• Docker (CVE-2021-21285, CVE-2021-21284)
• NVIDIA (CVE-2021-1052, CVE-2021-1053, CVE-2021-1056)

Bug Fixes

• app-crypt/trousers: use correct file permissions (coreos-overlay#809)
• x11-drivers/nvidia-drivers: Handle NVIDIA Version upgrades (https://github.com/kinvolk/coreos-overlay/pull/762)
• flatcar-eks: add missing mkdir and update to latest versions (https://github.com/kinvolk/coreos-overlay/pull/817)

Updates

• Linux (5.10.16)
• Docker (19.03.15)
• NVIDIA Tesla Driver (460.32.03)

Security fixes

• go - CVE-2021-3114
• sudo - CVE-2021-3156, CVE-2021-23239

Bug fixes

• /etc/iscsi/initiatorname.iscsi is generated by the iscsi-init service (#321)
• Prevent iscsiadm buffer overflow (#318)

Changes

• Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
• The containerd socket is now available in the default location (/run/containerd/containerd.sock) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock) (#771)
• With the iscsi update, the service unit has changed from iscsid to iscsi (#791)
• AWS Pro: include scripts to facilitate setup of EKS workers (#794).
• Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)

Updates

• open-iscsi (2.1.3)
• go (1.15.7)
• sudo (1.9.5p2)

Security fixes

• Linux
  • CVE-2020-27835
  • CVE-2020-29661
  • CVE-2020-29660
  • CVE-2020-27830
  • CVE-2020-28588

Bug fixes

• The sysctl net.ipv4.conf.*.rp_filter is set to 0 for the Cilium CNI plugin to work (kinvolk/Flatcar#181)
• Package downloads in the developer container now use the correct URL again (kinvolk/Flatcar#298)
• networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)

Changes

• The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (kinvolk/baselayout#13)
• Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (kinvolk/Flatcar#283)
• For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (kinvolk/update-engine#8)

Updates

• Linux (5.9.16)
• containerd (1.4.3)
• Docker (19.03.14)

Security fixes:

• No changes since Alpha 2705.0.0

Bug fixes:

• No changes since Alpha 2705.0.0

Changes:

• No changes since Alpha 2705.0.0

Updates:

• No changes since Alpha 2705.0.0

Security fixes:

• Linux - CVE-2020-27194, CVE-2020-27152
• Go - CVE-2020-28362, CVE-2020-28367, CVE-2020-28366

Bug fixes:

• network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)

Updates:

• Linux (5.8.18)
• Go (1.15.5)

Security fixes:

• Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)

Updates:

• Linux 5.8.14

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• adcli 0.9.0
• GCE: oslogin 20200910.00

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• flatcar-install allows installation to a multipath drive (PR#24)

Updates:

• Linux 5.4.65

Security fixes:

• Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386

Updates:

• Linux 5.4.62

Changes from Alpha release 2605.1.0

Changes:

• Update public key to include new subkey

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)

Updates:

• Linux 5.4.59
• bind-tools 9.11.22
• etcd-wrapper 3.3.24

Changes since the Alpha release 2513.1.0

Bug Fixes:

• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] https://github.com/flatcar-linux/bootengine/pull/15

Updates:

• Linux 5.4.52

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 4.19.128
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
• Use the correct BINHOST URLs in the development container to download binary packages

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Use flatcar.autologin kernel command line parameter on Azure and VMware for auto login on the serial console
• Include conntrack (conntrack-tools)
• Include journalctl output, pstore kernel crash logs, and coredumpctl list output in the mayday report
• Update wa-linux-agent to 2.2.46 on Azure
• Support both coreos.config.* and flatcar.config.* guestinfo variables on VMware OEM

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Git 2.24.1
• Linux 4.19.124
• OpenSSL 1.0.2u
• vim 8.2.0360

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix URL scheme in emerge-gitclone (https://github.com/flatcar-linux/coreos-overlay/issues/223)
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)

Changes:

• Add kernel config for QEDE driver (https://github.com/flatcar-linux/coreos-overlay/pull/198)
• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)

Updates:

• Linux 4.19.112

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters coreos.oem.*, coreos.autologin, coreos.first_boot, and the QEMU firmware config path opt/com.coreos/config (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Upstream Container Linux updates

Updates:

• Linux 4.19.106

Flatcar updates

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)

Upstream Container Linux updates:

Security fixes:

• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Changes:

• Enable qede kernel module

Updates:

• Linux 4.19.102

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Linux 4.19.95

Flatcar updates

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
• Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Upstream Container Linux updates:

Updates:

• Linux 4.19.87

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)

Updates:

• intel-microcode 20191115
• Linux 4.19.84

Upstream Container Linux updates:

Bug fixes:

• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Updates:

• Linux 4.19.79

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2247.3.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Updates:

• Linux 4.19.71

Upstream Container Linux updates:

Security fixes:

• Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)

Updates:

• Linux 4.19.69

Upstream Container Linux updates:

Security fixes:

• Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)

Updates:

• Linux 4.19.68
• wget 1.20.3

Upstream Container Linux updates:

Security fixes:

• Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)

Updates:

• Linux 4.19.65

Flatcar updates

Bug fixes:

• Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
• Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
• Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)

Upstream Container Linux updates:

Security fixes:

• Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)

Updates:

• Linux 4.19.65

Flatcar updates

Changes:

• Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)

Upstream Container Linux updates:

• Linux 4.19.62

Upstream Container Linux updates:

No changes for beta promotion

Upstream Container Linux updates:

Bug fixes:

• Fix Ignition panic when no guestinfo.(coreos|ignition).config parameters are specified on VMware (coreos/ignition#821)

Updates:

• Ignition 0.33.0

Upstream Container Linux updates:

Updates:

• Linux 4.19.53

Upstream Container Linux updates:

Security fixes:

• Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)

Bug fixes:

• Fix invalid bzip2 compression of Container Linux release images (#2589)

Updates:

• Linux 4.19.50

Upstream Container Linux updates:

Updates:

• Linux 4.19.44

Upstream Container Linux updates:

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)

Updates:

• intel-microcode 20190514
• Linux 4.19.43

Upstream Container Linux updates:

Bug fixes:

• Fix systemd MountFlags=shared option (#2579)

Changes:

• Pin network interface naming to systemd v238 scheme (#2578)

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backward compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.36

Upstream Container Linux updates:

Bug fixes:

• Disable new sticky directory protections for backwards compatibility (#2577)

Changes:

• Enable atlantic kernel module (#2576)

Updates:

• Linux 4.19.34

Upstream Container Linux updates:

Bug fixes:

• Fix systemd presets incorrectly handling escaped unit names (#2569)

Updates:

• Linux 4.19.31

Upstream Container Linux updates:

Bug fixes:

• Fix systemd-journald memory leak (#2564)

Updates:

• Linux 4.19.28

Upstream Container Linux updates:

Security fixes:

• Fix Linux use-after-free in sockfs_setattr (CVE-2019-8912)
• Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)

Updates:

• Linux 4.19.25

Upstream Container Linux updates:

Updates:

• Linux 4.19.23

Upstream Container Linux updates:

Security fixes:

• Fix runc container breakout (CVE-2019-5736)

Changes:

• Revert /sys/bus/rbd/add to Linux 4.14 behavior (#2544)

Updates:

• etcd 3.3.12
• etcdctl 3.3.12
• Linux 4.19.20

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in ECC (CVE-2019-6486)

Updates:

• Go 1.10.8
• Go 1.11.5
• Linux 4.19.18

Upstream Container Linux updates:

Updates:

• Linux 4.19.13

Upstream Container Linux updates:

Security fixes:

• Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
• Fix PolicyKit always authorizing UIDs greater than INT_MAX (CVE-2018-19788)

Updates:

• Go 1.10.6
• Go 1.11.3
• Linux 4.14.88

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.84 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)

Updates:

• Linux 4.14.81

Upstream Container Linux updates:

Security fixes:

• Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
• Fix systemd race allowing changing file permissions (CVE-2018-15687)
• Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)

Changes:

• Switch to the LTS Linux version 4.14.79 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Git remote code execution during recursive clone (CVE-2018-17456)

Bug fixes:

• Fix missing kernel headers (#2505)

Updates:

• Git 2.16.5
• Linux 4.14.78

Flatcar updates

Changes:

• Add new image signing subkey to flatcar-install (flatcar-linux/init#4)

Bug fixes:

• Fix /usr/lib/coreos symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)

Upstream Container Linux updates:

Changes:

• Switch to the LTS Linux version 4.14.74 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix Docker mounting named volumes (#2497)

Changes:

• Switch to the LTS Linux version 4.14.69 for the beta channel

Updates:

• intel-microcode 20180807a

Upstream Container Linux updates:

Changes:

• Drop AWS PV images from regions which do not support PV

Updates:

• containerd 1.1.2
• Docker 18.06.1-ce
• intel-microcode 20180807a
• Linux 4.14.67

Upstream Container Linux updates:

Security fixes:

• Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
• Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)

Bug fixes:

• Fix PXE systems attempting to mount an ESP (#2491)

Changes:

• Switch to the LTS Linux version 4.14.63 for the beta channel

Upstream Container Linux updates:

Security fixes:

• Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)

Bug fixes:

• Fix failure to mount large ext4 filesystems (#2485)

Updates:

• Linux 4.14.60

Upstream Container Linux updates:

Bug fixes:

• Fix kernel CIFS client (#2480)

Updates:

• Linux 4.14.59

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.57 for the beta channel

Upstream Container Linux updates:

Updates:

• Linux 4.14.55

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.50 for the beta channel

Upstream Container Linux updates:

Bug fixes:

• Fix TCP connection stalls (#2457)

Updates:

• Linux 4.14.49

Upstream Container Linux updates:

Bug fixes:

• Fix Hyper-V network driver regression (#2454)

Updates:

• Linux 4.14.48

Upstream Container Linux updates:

Security fixes:

• Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)

Bug fixes:

• Fix inadvertent change of network interface names (#2437)
• Fix failure to set network interface MTU (#2443)

Updates:

• Git 2.16.4
• Linux 4.14.47

Upstream Container Linux updates:

Changes:

• Switch to the LTS Docker version 18.03.1-ce for the beta channel
• Switch to the LTS Linux version 4.14.42 for the beta channel

Updates:

• Ignition 0.24.1

Upstream Container Linux updates:

Security fixes:

• Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
• Fix ntp denial of service from out of bounds read (CVE-2018-7182)
• Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
• Fix ntp remote code execution (CVE-2018-7183)

Updates:

• containerd 1.0.3
• Docker 18.03.1-ce
• Linux 4.14.39
• ntp 4.2.8p11

Upstream Container Linux updates:

Bug fixes:

• Fix docker2aci tar conversion (#2402)

Changes:

• Switch to the LTS Linux version 4.14.35 for the beta channel

Flatcar updates

Initial Flatcar release.

Bug fixes:

• Fix GRUB crash at boot (#2284)
• Fix poweroff problems (#8080)

Notes:

• Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.

Upstream Container Linux updates:

Bug fixes:

• Fix kernel panic with vxlan (#2382)

New Alpha release 2983.0.0

Update to CGroupsV2

As of Alpha version 2969.0.0, Flatcar Container Linux migrates to the unified cgroup hierarchy (aka CGroupsV2)! New nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2. To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/

Changes since Alpha 2969.0.0

Security fixes

• Linux (CVE-2021-3653, CVE-2021-3656, CVE-2021-38166)
• openssl (CVE-2021-3711, CVE-2021-3712)
• c-ares (CVE-2021-3672)

Bug Fixes

• Re-enabled kernel config FS_ENCRYPTION (coreos-overlay#1212)
• Fixed Perl in dev-container (coreos-overlay#1238)
• Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
• Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
• flatcar-install: randomized OEM filesystem UUID if mounting fails (init#47)
• Fixed null-pointer deref crash in Ignition when specifying the OEM filesystem without a label (ignition#25)
• Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)

Changes

• Added Azure Generation 2 VM support (coreos-overlay#1198)
• Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
• Added lbzip2 binary to the image (coreos-overlay#1221)
• flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
• Added Intel E800 series network adapter driver (coreos-overlay#1237)
• Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
• Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)

Updates

• Linux (5.10.61)
• Linux firmware (20210818)
• openssl (1.1.1l)
• c-ares (1.17.2)
• docker (20.10.8)
• etcd (3.5.0)
• flannel (0.14.0)
• runc (1.0.2)
• strace (5.12)
• wa-linux-agent (2.3.1.1)

Note: Please note that ARM images remain experimental for now.

Update to CGroupsV2

Flatcar Container Linux migrates to the unified cgroup hierarchy (aka cgroups v2)! New nodes will utilize cgroups v2 by default. Existing nodes remain on cgroups v1 and need to be manually migrated to cgroups v2. To learn more about the cgroups v2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/

Security fixes

• Linux (CVE-2021-34556, CVE-2021-35477, CVE-2021-38205)
• dnsmasq (CVE-2021-3448)
• glibc (CVE-2021-35942)
• Go (CVE-2021-36221)
• libuv (CVE-2021-22918)
• mit-krb5 (CVE-2021-36222)
• NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
• systemd (CVE-2020-13529, CVE-2021-33910)
• tar (CVE-2021-20193)

Bug fixes

• Fixed pam.d sssd LDAP auth with sudo (coreos-overlay#1170)
• Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)
• Fixed SELinux policy for Flannel CNI (coreos-overlay#1181)

Changes

• cgroups v2 by default for new nodes (coreos-overlay#931).
• Upgrade Docker to 20.10 (coreos-overlay#931)
• update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
• Switched to zstd compression for the initramfs (coreos-overlay#1136)
• Embedded new subkey in flatcar-install (coreos-overlay#1180)
• Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
• AWS: Added amazon-ssm-agent (coreos-overlay#1162)
• SDK: enabled experimental ARM64 SDK usage (flatcar-scripts#134) (flatcar-scripts#141)

Updates

• Linux (5.10.59)
• containerd (1.5.5)
• docker (20.10.7)
• docker CLI (20.10.7)
• docker proxy (0.8.0_p20210525)
• glibc (2.33-r5)
• Go (1.16.7)
• libuv (1.41.1)
• mit-krb5 (1.19.2)
• NVIDIA Drivers (470.57.02)
• portage-utils (0.90)
• runc (1.0.1)
• systemd (247.9)
• tar (1.34)
• tini (0.19)
• SDK: dnsmasq (2.85)
• SDK: rust (1.54)

Note: Please note that ARM images remain experimental for now.

Security fixes

• Linux (CVE-2021-37576)
• expat (CVE-2013-0340)

Bug fixes

• Set the cilium_vxlan interface to be not managed by networkd’s default setup with DHCP as it’s managed by Cilium. (init#43)
• Disabled SELinux by default on dockerd wrapper script (coreos-overlay#1149)
• Fixed the network-cleanup service race in the initramfs which resulted in a failure being reported
• GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)

Changes

• Switched the arm64 kernel to use a 4k page size instead of 64k
• Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
• Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
• Enabled zstd compression for the initramfs and for amd64 also for the kernel because we hit the vmlinuz size limit on the /boot partition
• Deleted the unused kernel+initramfs vmlinuz file from the /usr partition
• devcontainer: added support to run on arm64 by switching to an architecture-agnostic partition UUID
• Enabled ARM64 SDK bootstrap (scripts#134)

Updates

• Linux (5.10.55)
• Linux Firmware (20210716)
• expat (2.4.1)
• libarchive (3.5.1)
• xz-utils (5.2.5)
• cryptsetup (2.3.6)

Note: Please note that ARM images remain experimental for now.

Security fixes

• Linux (CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28951, CVE-2021-28952, CVE-2021-29266, CVE-2021-28688, CVE-2021-29264, CVE-2021-29649, CVE-2021-29650, CVE-2021-29646, CVE-2021-29647, CVE-2021-29154, CVE-2021-29155, CVE-2021-23133)
• dnsmasq (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
• git (CVE-2021-21300)
• gnutls (CVE-2021-20231, CVE-2021-20232)
• sqlite (CVE-2021-20227)
• qemu (CVE-2020-10717, CVE-2020-13754, CVE-2020-15859, CVE-2020-15863, CVE-2020-16092, CVE-2020-25741, CVE-2020-25742, CVE-2020-25743)
• curl (CVE-2021-22876, CVE-2021-22890)
• libxml2 (CVE-2020-24977)
• openldap (CVE-2021-27212)

Bug fixes

• Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)

Changes

• Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn’t start, disrupting the whole boot. (bootengine#23)
• Enable using iSCSI netroot devices on Flatcar (bootengine#22)

Updates

• Linux (5.10.32)
• systemd (247.6)
• openldap (2.4.58)
• curl (7.76.1)
• gnutls (3.7.1)
• git (2.26.3)
• libxml2 (2.9.10)
• sqlite (3.34.1)
• dnsmasq (2.83)
• go (1.16.2)
• SDK: QEMU (5.2.0)
• SDK: Rust (1.51.0)

Deprecation

• rkt and kubelet-wrapper are deprecated and removed from Alpha, also from subsequent channels in the future. Please read the removal announcement to know more.

[Alpha only] Note: Please note that ARM images remain experimental for now.

Security fixes

• Linux (CVE-2021-26931, CVE-2021-26930, CVE-2021-26932)
• openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
• intel-microcode (CVE-2020-8696, CVE-2020-8698)

Changes

• sshd: use secure crypto algos only (kinvolk/coreos-overlay#852)
• samba: Update to EAPI=7, add new USE flags and remove deps on icu (kinvolk/coreos-overlay#864)
• kernel: enable kernel config CONFIG_BPF_LSM (kinvolk/coreos-overlay#846)
• bootengine: set hostname for EC2 and OpenStack from metadata (kinvolk/coreos-overlay#848)

Updates

• Linux (5.10.19)
• systemd (247.3)
• intel-microcode (20210216)
• multipath-tools (0.8.5)
• openssl (1.1.1j)
• runc (1.0.0_rc93)
• SDK: Rust (1.50.0)

Deprecation

• dhcpcd and containerd-stress will be deprecated from Alpha, also from other channels in the future (kinvolk/coreos-overlay#858)

Note: Please note that ARM images remain experimental for now.

Security fixes

• Linux - CVE-2020-28374, CVE-2020-36158
• go - CVE-2021-3114
• bsdiff - CVE-2020-14315
• curl - CVE-2020-8169, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286
• dhcpcd - CVE-2019-11577, CVE-2019-11766
• mit-krb5 - CVE-2020-28196
• sudo - CVE-2021-3156, CVE-2021-23239

Bug fixes

• /etc/iscsi/initiatorname.iscsi is generated by the iscsi-init service (#321)
• Prevent iscsiadm buffer overflow (#318)

Changes

• Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
• The containerd socket is now available in the default location (/run/containerd/containerd.sock) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock) (#771)
• AWS Pro: include scripts to facilitate setup of EKS workers (#794).
• Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)

Updates

• linux (5.10.10)
• systemd (247.2)
• curl (7.74.0)
• dhcpcd (8.1.9)
• open-iscsi (2.1.3)
• go (1.15.7)
• mit-krb5 (1.18.2-r2)
• open-vm-tools (11.2.5)
• rust (1.49.0)
• sudo (1.9.5p2)

Note: This alpha release includes only AMD64 images.

Security fixes

• Linux
  • CVE-2020-27815
  • CVE-2020-27830
  • CVE-2020-27835
  • CVE-2020-28588
  • CVE-2020-29568
  • CVE-2020-29569
  • CVE-2020-29660
  • CVE-2020-29661

Bug fixes

• afterburn (coreos-metadata): Restart on failure and keep coreos-metadata unit active (kinvolk/coreos-overlay#768)
• networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)

Changes

• Updated nsswitch.conf to use systemd-resolved (kinvolk/baselayout#10)
• Enabled systemd-resolved stub listeners (kinvolk/baselayout#11)
• systemd-resolved: Disabled DNSSEC for the mean time (kinvolk/baselayout#14)
• kernel: enabled CONFIG_DEBUG_INFO_BTF (kinvolk/coreos-overlay#753)
• containerd: Switched to default upstream socket location while keeping a symlink for the previous location in Flatcar (kinvolk/coreos-overlay#771)
• containerd: Disabled shim debug logs (kinvolk/coreos-overlay#766)

Updates

• Linux (5.10.4)
• Linux firmware (20201218)
• SDK: Rust (1.48.0)

Note: Please note that ARM images remain experimental for now.

Security fixes

• bsdiff
  • CVE-2014-9862
• containerd
  • CVE-2020-15257
• pam
  • CVE-2020-27780
• Linux
  • CVE-2020-29661
  • CVE-2020-29660
  • CVE-2020-27830
  • CVE-2020-28588 (only affects 32-bit systems, Flatcar Container Linux is not affected)
  • CVE-2020-27835 (only affects systems with Infiniband HF1 driver, Flatcar Container Linux is not affected)

Bug fixes

• The sysctl net.ipv4.conf.*.rp_filter is set to 0 for the Cilium CNI plugin to work (Flatcar#181)
• Package downloads in the developer container now use the correct URL again (Flatcar#298)

Changes

• A symlink vimdiff should not be created, if the USE flag minimal is enabled. (Flatcar/#221)
• The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (baselayout#13)
• Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
• For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (update-engine#8)
• Enable BCMGENET as a module on arm64_defconfig-5.9 (coreos-overlay#717)
• Enable BCM7XXX_PHY as a module on arm64_defconfig-5.9 for Raspberry Pi 4 (coreos-overlay#716)
• Disable jpeg USE flag from QEMU (coreos-overlay#729)
• flatcar_production_qemu.sh: Use more CPUs for ARM if available (scripts#91)

Updates

• Linux (5.9.14)
• Linux firmware (20201118)
• Docker (19.03.14)
• containerd (1.4.3)
• pam (1.5.1)
• sqlite (3.33)
• SDK: Rust (1.47.0)
• SDK: Go (1.15.6)
• SDK: repo (2.8)
• SDK: dwarves (1.19)

Note: Please note that ARM images remain experimental for now.

Security fixes

• glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)

Bug fixes

• Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)

Changes

• Enabled the kernel config HOTPLUG_PCI_ACPI for arm64 to support attaching EC2 volumes (PR#705)

Updates

• Linux (5.9.11)
• glibc (2.32)

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Linux - (CVE-2020-27673, CVE-2020-27675)
• Go - (CVE-2020-28362, CVE-2020-28367, CVE-2020-28366)
• glib (CVE-2019-12450)
• open-iscsi (CVE-2017-17840)
• samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
• shadow (CVE-2019-19882)
• sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
• trousers (CVE-2020-24330, CVE-2020-24331)
• cifs-utils (CVE-2020-14342)
• ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
• bzip2 (CVE-2019-12900)

Bug fixes:

• network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
• Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
• Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update
• Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
• Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
• Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
• Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update

Changes:

• The zstd tools were added (version 1.4.4)
• The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
• The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
• The kernel config CONFIG_DEBUG_INFO_BTF was set to support BTF metadata (BPF Type Format), one important piece for portability of BPF programs (CO-RE: Compile Once - Run Everywhere) through relocation
• The kernel config CONFIG_POWER_SUPPLY was set
• The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting “redirect_dir=on” in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).

Updates:

• Linux (5.9.8)
• Linux firmware (20200918)
• systemd (246.6)
• bzip2 (1.0.8)
• cifs-utils (6.11)
• dbus-glib (0.110)
• elfutils (0.178)
• glib (2.64.5)
• ntp (4.2.8_p15)
• open-iscsi (2.1.2)
• samba (4.11.13)
• shadow (4.8)
• sssd (2.3.1)
• strace (5.9)
• talloc (2.3.1)
• tdb (1.4.3)
• tevent (0.10.2)
• SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
• SDK: Go (1.15.5)
• VMware: open-vm-tools (11.2.0)

Security fixes:

• Linux - CVE-2020-27194
• c-ares - CVE-2017-1000381
• file - CVE-2019-18218
• json-c - CVE-2020-12762
• libuv - CVE-2020-8252
• libxml2 - CVE-2019-20388 CVE-2020-7595
• re2c - CVE-2020-11958
• tar - CVE-2019-9923

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)
• Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
• Azure: Exclude bonded SR-IOV driver mlx5-core from network interfaces managed by systemd-networkd (bootengine PR #19) (init PR #29)
• Do not configure ccache in Jenkins (scripts PR #100)

Changes:

• Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)

Updates:

• Linux 5.8.16
• c-ares 1.61.1
• cryptsetup 2.3.2
• json-c 0.15
• libuv 1.39.0
• libxml2 2.9.10
• tar 1.32
• Go 1.15.3, 1.12.17 (only in SDK)
• file 5.39 (only in SDK)
• gdbus-codegen 2.64.5 (only in SDK)
• meson 0.55.3 (only in SDK)
• re2c 2.0.3 (only in SDK)

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211

Bug fixes:

• Ensured that the /etc/coreos to /etc/flatcar symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives for update: or locksmith: while also reformatting the rootfs (baselayout PR#7)
• Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)

Changes:

• Compress kernel modules with xz (overlay PR#628)
• Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
• AWS arm64: Enable elastic network adapter module (overlay PR#631)
• Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
• QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)

Updates:

• Linux 5.8.14
• systemd 246
• tini 0.18
• libseccomp 2.5.0
• audit 2.8.5
• dracut 050

Security fixes:

• Linux: CVE-2020-25284, CVE-2020-14390
• jq: CVE-2015-8863, CVE-2016-4074
• sqlite: CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358
• tcpdump and libpcap: CVE-2018-10103, CVE-2018-10105, CVE-2018-16301, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-19325, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220
• libbsd: CVE-2019-20367
• rsync: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843

Bug fixes:

• Enabled missing systemd services (#191, PR #612)
• Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
• Solved adcli Kerberos Active Directory incompatibility (#194)
• Fixed the makefile path when building kernel modules with the developer container (#195)
• Removed the /etc/portage/savedconfig/ folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613

Changes:

• GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)

Updates:

• Linux 5.8.11
• Docker 19.03.13
• docker-runc 1.0.-rc92
• containerd 1.4.1
• adcli 0.9.0
• GCE: oslogin 20200910.00
• jq 1.6
• rsync 3.2.3
• tcpdump 4.9.3

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Fix resetting of DNS nameservers in systemd-networkd units (PR#12)

Changes:

• Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
• Set sysctl net.ipv4.conf.(all|*).rp_filter to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11)
• Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
• flatcar-install allows installation to a multipath drive (PR#24)
• Support the lockdown kernel command line parameter (PR#533)
• Update public key to include a new subkey

Updates:

• Linux 5.8.9
• linux-firmware 20200817
• Go 1.15.2
• Rust 1.46.0

Note: Please note that ARM images remain experimental for now.

Bug fixes:

• Resolve ipset API incompatibility Flatcar#174
• Fix udev rule warning about ignored value Flatcar#164
• Add missing render group Flatcar#169

Changes:

• Mount /sys/fs/bpf into the toolbox container and allow BPF syscalls (PR#544)
• Support loading BPF programs with tc Flatcar#172

Updates:

• Linux 5.4.61
• etcd-wrapper/etcdctl 3.3.25
• ipset 7.6
• iproute 5.8
• mdadm 4.1
• VMware: openvm-tools 11.1.5

Note: Please note that ARM images remain experimental for now.

Security fixes:

• Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Bug fixes:

• etcd-wrapper: Adjust data dir permissions https://github.com/flatcar-linux/coreos-overlay/pull/536

Changes:

• Add drivers for qedf, qedi, qla4xxx as kernel modules https://github.com/flatcar-linux/coreos-overlay/pull/528

Updates:

• Linux 5.4.59
• Bind-tools 9.16.6
• Openssl 1.1.1g
• etcd-wrapper 3.3.24
• sssd 1.16.3
• kerberos 1.18.2
• Containerd 1.3.7
• Go 1.13.15 used for compilation

Bug Fixes:

• Improved logic for GPT disk UUID randomization to fix booting on Packet c3.medium.x86 machines (flatcar-linux/bootengine#17)
• gpg: add patches for accepting keys without UIDs (flatcar-linux/coreos-overlay#381)
• The static IP address configuration in the initramfs works again in the format ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]] (flatcar-linux/bootengine#15)

Changes:

• Since version 245 systemd-networkd ignores network unit files with an empty [Match] section. Add a Name=* entry to match all interfaces.
• Weave network interfaces are excluded from systemd-networkd (flatcar-linux/init#22)
• Enabled the mmio and vsock virtio kernel modules for Firecracker (flatcar-linux/coreos-overlay#485)
• Enabled CONFIG_IKHEADERS to expose kernel headers under /sys/kernel/kheaders.tar.xz
• Vultr support in Ignition (flatcar-linux/ignition#13)
• VMware OVF settings default to ESXi 6.5 and Linux 3.x

Updates:

• Linux 5.4.55
• systemd v245
• Docker 19.03.12
• gnupg 2.2.20
• cryptsetup 2.0.3
• etcd 3.3.22
• etcdctl 3.3.22
• Go 1.13.14
• Rust 1.44.1

Note: Please note that ARM images remain experimental for now.

Security Fixes:

• Malicious URLs can cause Git to expose private credentials CVE-2020-5260
• Similar to CVE-2020-5260, Malicious URLs can cause Git to expose private credentials CVE-2020-11008

Bugfixes:

• Include dig binary in ARM flatcar-linux/Flatcar#123
• Fix the login prompt issue in the ISO flatcar-linux/Flatcar#131
• app-admin/{kubelet, etcd, flannel}-wrapper: don’t overwrite the user supplied –insecure-options argument https://github.com/flatcar-linux/coreos-overlay/pull/426

Updates:

• Linux - 5.4.47
• Docker - 19.03.11
• Go - 1.13.12
• strace - 5.6
• git - 2.26.2

Note: Please note that ARM images remain experimental for now.

Flatcar updates

Security fixes:

• Fix the Intel Microcode vulnerabilities (CVE-2020-0543)

Changes:

• A source code and licensing overview is available under /usr/share/licenses/INFO

Updates:

• Linux 5.4.46
• intel-microcode 20200609

Flatcar updates

Security fixes:

• Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
• Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
• Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
• Fix libidn2 domain impersonation (CVE-2019-12290)
• Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
• Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
• Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
• Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
• Fix vim arbitrary command execution via crafted file (CVE-2019-12735)

Bug fixes:

• Revert adding the SELinux use flag for docker-runc until a regression is solved
• When writing the update kernel, prefer /boot/coreos only if /boot/coreos/vmlinux-* exists (https://github.com/flatcar-linux/update_engine/pull/5)
• Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed

Changes:

• Support the CoreOS GRUB /boot/coreos/first_boot flag file (https://github.com/flatcar-linux/bootengine/pull/13)
• Fetch container images in docker format rather than ACI by default in etcd-member.service, flanneld.service, and kubelet-wrapper
• Add wireguard kernel module from wireguard-linux-compat
• Include wg (wireguard-tools)
• Enable regex support for jq
• Use flatcar.autologin kernel command line parameter on Azure for auto login on the serial console

Updates:

• e2fsprogs 1.45.5
• etcd 3.3.20
• etcdctl 3.3.20
• Linux 5.4.41
• OpenSSL 1.0.2u
• vim 8.2.0360
• systemd 243

Flatcar updates

Bug fixes:

• Support both guestinfo.ignition.config and guestinfo.coreos.config in coreos-cloudinit (https://github.com/flatcar-linux/coreos-cloudinit/pull/4)
• Fix VMware guestinfo variable retrieval and add missing variables in ignition (https://github.com/flatcar-linux/ignition/pull/11)
• Use flatcar.autologin for the console in oem-vmware (https://github.com/flatcar-linux/coreos-overlay/pull/308)
• Log list of coredumps with coredumpctl in mayday (https://github.com/flatcar-linux/mayday/pull/8)

Updates:

• Linux 5.4.35
• Go 1.13.10
• containerd 1.3.4
• conntrack-tools 1.4.5
• linux-firmware 20191022

Flatcar updates

Bug fixes:

• Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
  • It is a possible breaking change for some persistent network interface names
• Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
• Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
• Build a download URL in a safer way (https://github.com/flatcar-linux/update_engine/issues/3)
• Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
• Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
• Make flannel cross-node traffic work with systemd > 242 (https://github.com/coreos/flannel/issues/1155, https://github.com/flatcar-linux/coreos-overlay/pull/279)

Changes:

• Add tracepath alongside traceroute6 (https://github.com/flatcar-linux/Flatcar/issues/50)
• Extend logging capabilities of mayday (https://github.com/flatcar-linux/Flatcar/issues/61)

Updates:

• Linux 4.19.113
• Docker 19.03.8
• open-vm-tools 11.0.5
• openssh 8.1
• WAAgent 2.2.46

Flatcar updates

Bug fixes:

• Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
• Do not error out in runc if SELinux is disabled on the system (https://github.com/flatcar-linux/coreos-overlay/pull/189)
• Bring back runc 1.0-rc2 for Docker 17.03 (https://github.com/flatcar-linux/coreos-overlay/pull/191)
• Use correct branch name format in developer container tools (https://github.com/flatcar-linux/dev-util/pull/2)

Updates:

• Linux 4.19.106

Flatcar updates

Security fixes:

• Fix stack-based buffer overflow in sudo (CVE-2019-18634)
• Fix incorrect access control leading to privileges escalation in runc (CVE-2019-19921)
• Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)

Bug fixes:

• Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
• Use correct URLs for flatcar-linux in emerge-gitclone and scripts (https://github.com/flatcar-linux/dev-util/pull/1) (https://github.com/flatcar-linux/scripts/pull/50)
• Fix a wrong profile reference in torcx (https://github.com/flatcar-linux/coreos-overlay/pull/162)
• Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
• Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
• Fix backwards compatibility issues for users to migrate from CoreOS Container Linux (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)

Changes:

• Build Flatcar tarballs to be used by containers (https://github.com/flatcar-linux/scripts/pull/51)
• Enable qede kernel module

Updates:

• Linux 4.19.102
• runc 1.0.0-rc10
• sudo 1.8.31

Upstream Container Linux updates:

Security fixes:

• Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Updates:

• Git 2.24.1
• Ignition 0.34.0

Flatcar updates

• Linux 4.19.97

Flatcar updates

Security fixes:

• Fix a denial-of-service issue via malicious access to /dev/kvm (CVE-2019-19332)

Bug fixes:

• Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)

Updates:

• Linux 4.19.89

Flatcar updates

It is the first release done for both amd64 and arm64.

Bug fixes:

• Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/137 https://github.com/flatcar-linux/coreos-overlay/pull/139)

Updates:

• ldb 1.3.6
• samba 4.8.6
• talloc 2.1.11
• tdb 1.3.15
• tevent 0.9.37

Flatcar updates

Security fixes:

• Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
• Fix code injection around dynamic libraries in docker (CVE-2019-14271)

Bug fixes:

• Fix cross-build issues in rust by storing shell scripts under the source directory (https://github.com/flatcar-linux/coreos-overlay/pull/125)
• Fix bug in dealing with xattrs when unpacking torcx tarballs (https://github.com/flatcar-linux/torcx/pull/2)

Updates:

• Linux 4.19.87
• docker 19.03.5
• etcd 3.3.18
• expat 2.2.8

Flatcar updates

Security fixes:

• Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
• Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
• Fix curl Kerberos FTP double free (CVE-2019-5481)
• Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
• Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
• Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Go 1.12.12 and 1.13.3
• curl 7.66.0
• intel-microcode 20191115
• Linux 4.19.84
• OpenSSL 1.0.2t
• timezone-data 2019c

Upstream Container Linux updates:

Bug fixes:

• Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
• Fix time zone for Brazil (#2627)

Updates:

• Linux 4.19.81
• timezone-data 2019c

Upstream Container Linux updates:

Changes:

• Pin rkt to Go 1.12

Updates:

• Go 1.12.10
• Go 1.13.2
• Linux 4.19.80

Upstream Container Linux updates:

Security fixes:

• Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• etcd 3.3.17
• etcdctl 3.3.17
• Go 1.12.9
• Linux 4.19.79
• sudo 1.8.28

Upstream Container Linux updates:

Bug fixes:

• Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)

Updates:

• Linux 4.19.78

Upstream Container Linux updates:

Security fixes:

• Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
• Fix kernel KVM guest escape (CVE-2019-14835)
• Fix race condition in Intel microprocessors (CVE-2019-11184)

Updates:

• intel-microcode 20190918
• Linux 4.19.75

Upstream Container Linux updates:

Security fixes:

• Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)

Bug fixes:

• Fix GCE agent crash loop in new installs (#2608)