lts-3510.3.0

Changes since Stable 3510.2.8

Security fixes:

• Linux (CVE-2023-42752, CVE-2023-42753, CVE-2023-4623, CVE-2023-4921)

Bug fixes:

Changes:

• Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)

Updates:

• Linux (5.15.132 (includes 5.15.131, 5.15.130))

Changes compared to LTS-2022 3033.3.17

Security fixes:

• Linux (CVE-2019-15794,CVE-2020-16119,CVE-2020-24586,CVE-2020-24587,CVE-2020-24588,CVE-2020-25639,CVE-2020-25670,CVE-2020-25671,CVE-2020-25672,CVE-2020-25673,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2020-26541,CVE-2020-26555,CVE-2020-26558,CVE-2020-27170,CVE-2020-27171,CVE-2020-27820,CVE-2020-36516,CVE-2021-0129,CVE-2021-0512,CVE-2021-0920,CVE-2021-0937,CVE-2021-0941,CVE-2021-20320,CVE-2021-20321,CVE-2021-20322,CVE-2021-22543,CVE-2021-22555,CVE-2021-22600,CVE-2021-23133,CVE-2021-23134,CVE-2021-26401,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932,CVE-2021-27363,CVE-2021-27364,CVE-2021-27365,CVE-2021-28038,CVE-2021-28039,CVE-2021-28375,CVE-2021-28660,CVE-2021-28688,CVE-2021-28691,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-28950,CVE-2021-28951,CVE-2021-28952,CVE-2021-28964,CVE-2021-28971,CVE-2021-28972,CVE-2021-29154,CVE-2021-29155,CVE-2021-29264,CVE-2021-29265,CVE-2021-29266,CVE-2021-29646,CVE-2021-29647,CVE-2021-29648,CVE-2021-29649,CVE-2021-29650,CVE-2021-29657,CVE-2021-30002,CVE-2021-31440,CVE-2021-31829,CVE-2021-31916,CVE-2021-32399,CVE-2021-32606,CVE-2021-33033,CVE-2021-33034,CVE-2021-33098,CVE-2021-33135,CVE-2021-33200,CVE-2021-33624,CVE-2021-33655,CVE-2021-33909,CVE-2021-3444,CVE-2021-34556,CVE-2021-34693,CVE-2021-3483,CVE-2021-34866,CVE-2021-3489,CVE-2021-3490,CVE-2021-3491,CVE-2021-34981,CVE-2021-3501,CVE-2021-35039,CVE-2021-3506,CVE-2021-3543,CVE-2021-35477,CVE-2021-3564,CVE-2021-3573,CVE-2021-3600,CVE-2021-3609,CVE-2021-3612,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-37159,CVE-2021-3732,CVE-2021-3736,CVE-2021-3739,CVE-2021-3743,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-37576,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38166,CVE-2021-38198,CVE-2021-38199,CVE-2021-38200,CVE-2021-38201,CVE-2021-38202,CVE-2021-38203,CVE-2021-38204,CVE-2021-38205,CVE-2021-38206,CVE-2021-38207,CVE-2021-38208,CVE-2021-38209,CVE-2021-38300,CVE-2021-3923,CVE-2021-39633,CVE-2021-39656,CVE-2021-39685,CVE-2021-39686,CVE-2021-39698,CVE-2021-4001,CVE-2021-4002,CVE-2021-4028,CVE-2021-40490,CVE-2021-4083,CVE-2021-4090,CVE-2021-4093,CVE-2021-41073,CVE-2021-4135,CVE-2021-4148,CVE-2021-4149,CVE-2021-4154,CVE-2021-4155,CVE-2021-4157,CVE-2021-41864,CVE-2021-4197,CVE-2021-42008,CVE-2021-4202,CVE-2021-4203,CVE-2021-42252,CVE-2021-42327,CVE-2021-42739,CVE-2021-43056,CVE-2021-43057,CVE-2021-43267,CVE-2021-43389,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-44879,CVE-2021-45095,CVE-2021-45100,CVE-2021-45402,CVE-2021-45469,CVE-2021-45480,CVE-2021-45485,CVE-2021-45486,CVE-2021-45868,CVE-2021-46283,CVE-2022-0001,CVE-2022-0002,CVE-2022-0168,CVE-2022-0171,CVE-2022-0185,CVE-2022-0264,CVE-2022-0286,CVE-2022-0322,CVE-2022-0330,CVE-2022-0382,CVE-2022-0435,CVE-2022-0487,CVE-2022-0492,CVE-2022-0494,CVE-2022-0500,CVE-2022-0516,CVE-2022-0617,CVE-2022-0742,CVE-2022-0847,CVE-2022-0850,CVE-2022-0995,CVE-2022-1011,CVE-2022-1012,CVE-2022-1015,CVE-2022-1016,CVE-2022-1043,CVE-2022-1048,CVE-2022-1055,CVE-2022-1158,CVE-2022-1184,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1204,CVE-2022-1263,CVE-2022-1353,CVE-2022-1462,CVE-2022-1516,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1943,CVE-2022-1973,CVE-2022-1974,CVE-2022-1975,CVE-2022-1998,CVE-2022-20008,CVE-2022-20132,CVE-2022-20141,CVE-2022-20148,CVE-2022-20154,CVE-2022-20158,CVE-2022-20368,CVE-2022-20369,CVE-2022-20421,CVE-2022-20422,CVE-2022-20566,CVE-2022-20572,CVE-2022-2078,CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-21499,CVE-2022-21505,CVE-2022-2153,CVE-2022-2196,CVE-2022-22942,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-2308,CVE-2022-2318,CVE-2022-23222,CVE-2022-2380,CVE-2022-23960,CVE-2022-24122,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-2503,CVE-2022-25258,CVE-2022-25375,CVE-2022-25636,CVE-2022-2585,CVE-2022-2586,CVE-2022-2588,CVE-2022-2602,CVE-2022-26365,CVE-2022-26373,CVE-2022-2639,CVE-2022-26490,CVE-2022-2663,CVE-2022-26966,CVE-2022-27223,CVE-2022-27666,CVE-2022-27672,CVE-2022-27950,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390,CVE-2022-2873,CVE-2022-28893,CVE-2022-2905,CVE-2022-29156,CVE-2022-2938,CVE-2022-29581,CVE-2022-29582,CVE-2022-2959,CVE-2022-2964,CVE-2022-2977,CVE-2022-2978,CVE-2022-29900,CVE-2022-29901,CVE-2022-3028,CVE-2022-30594,CVE-2022-3061,CVE-2022-3077,CVE-2022-3078,CVE-2022-3104,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3110,CVE-2022-3111,CVE-2022-3112,CVE-2022-3113,CVE-2022-3115,CVE-2022-3169,CVE-2022-3176,CVE-2022-3202,CVE-2022-32250,CVE-2022-32296,CVE-2022-3239,CVE-2022-32981,CVE-2022-3303,CVE-2022-3344,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33744,CVE-2022-33981,CVE-2022-3424,CVE-2022-34494,CVE-2022-34495,CVE-2022-34918,CVE-2022-3521,CVE-2022-3524,CVE-2022-3526,CVE-2022-3534,CVE-2022-3543,CVE-2022-3545,CVE-2022-3564,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-36123,CVE-2022-3619,CVE-2022-3621,CVE-2022-3623,CVE-2022-3625,CVE-2022-3628,CVE-2022-36280,CVE-2022-3629,CVE-2022-3633,CVE-2022-3635,CVE-2022-3643,CVE-2022-3646,CVE-2022-3649,CVE-2022-36879,CVE-2022-36946,CVE-2022-3707,CVE-2022-39189,CVE-2022-39190,CVE-2022-40307,CVE-2022-40768,CVE-2022-4095,CVE-2022-40982,CVE-2022-41218,CVE-2022-41222,CVE-2022-4129,CVE-2022-41674,CVE-2022-41849,CVE-2022-41850,CVE-2022-41858,CVE-2022-42432,CVE-2022-4269,CVE-2022-42703,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722,CVE-2022-42895,CVE-2022-42896,CVE-2022-43750,CVE-2022-4378,CVE-2022-4379,CVE-2022-4382,CVE-2022-43945,CVE-2022-45869,CVE-2022-45886,CVE-2022-45887,CVE-2022-45919,CVE-2022-45934,CVE-2022-4662,CVE-2022-4744,CVE-2022-47518,CVE-2022-47519,CVE-2022-47520,CVE-2022-47521,CVE-2022-47929,CVE-2022-47938,CVE-2022-47939,CVE-2022-47941,CVE-2022-47942,CVE-2022-47943,CVE-2022-4842,CVE-2022-48423,CVE-2022-48424,CVE-2022-48425,CVE-2022-48502,CVE-2023-0045,CVE-2023-0160,CVE-2023-0179,CVE-2023-0210,CVE-2023-0266,CVE-2023-0386,CVE-2023-0394,CVE-2023-0458,CVE-2023-0459,CVE-2023-0461,CVE-2023-0590,CVE-2023-0615,CVE-2023-1073,CVE-2023-1074,CVE-2023-1076,CVE-2023-1077,CVE-2023-1078,CVE-2023-1079,CVE-2023-1095,CVE-2023-1118,CVE-2023-1192,CVE-2023-1206,CVE-2023-1249,CVE-2023-1252,CVE-2023-1281,CVE-2023-1295,CVE-2023-1380,CVE-2023-1382,CVE-2023-1513,CVE-2023-1582,CVE-2023-1611,CVE-2023-1637,CVE-2023-1652,CVE-2023-1670,CVE-2023-1829,CVE-2023-1838,CVE-2023-1855,CVE-2023-1859,CVE-2023-1989,CVE-2023-1990,CVE-2023-2002,CVE-2023-2006,CVE-2023-2008,CVE-2023-2019,CVE-2023-20569,CVE-2023-20588,CVE-2023-20593,CVE-2023-20928,CVE-2023-21102,CVE-2023-2124,CVE-2023-2156,CVE-2023-2162,CVE-2023-2163,CVE-2023-2166,CVE-2023-2177,CVE-2023-2194,CVE-2023-2235,CVE-2023-2269,CVE-2023-22998,CVE-2023-22999,CVE-2023-23001,CVE-2023-23002,CVE-2023-23004,CVE-2023-23006,CVE-2023-23454,CVE-2023-23455,CVE-2023-23559,CVE-2023-25012,CVE-2023-2513,CVE-2023-26544,CVE-2023-26545,CVE-2023-26606,CVE-2023-26607,CVE-2023-28327,CVE-2023-28328,CVE-2023-28410,CVE-2023-28466,CVE-2023-2860,CVE-2023-28772,CVE-2023-2898,CVE-2023-2985,CVE-2023-3006,CVE-2023-30456,CVE-2023-30772,CVE-2023-3090,CVE-2023-3111,CVE-2023-31248,CVE-2023-3141,CVE-2023-31436,CVE-2023-3159,CVE-2023-3161,CVE-2023-3212,CVE-2023-3220,CVE-2023-32233,CVE-2023-32248,CVE-2023-32269,CVE-2023-3268,CVE-2023-33203,CVE-2023-33288,CVE-2023-3338,CVE-2023-3355,CVE-2023-3357,CVE-2023-3358,CVE-2023-3390,CVE-2023-35001,CVE-2023-3567,CVE-2023-35788,CVE-2023-35823,CVE-2023-35824,CVE-2023-35828,CVE-2023-35829,CVE-2023-3609,CVE-2023-3610,CVE-2023-3611,CVE-2023-3772,CVE-2023-3776,CVE-2023-3777,CVE-2023-3812,CVE-2023-38426,CVE-2023-38428,CVE-2023-38429,CVE-2023-38432,CVE-2023-3863,CVE-2023-3865,CVE-2023-3866,CVE-2023-4004,CVE-2023-4015,CVE-2023-40283,CVE-2023-4128,CVE-2023-4132,CVE-2023-4147,CVE-2023-4206,CVE-2023-4207,CVE-2023-4208,CVE-2023-4273,CVE-2023-42752,CVE-2023-42753,CVE-2023-42755,CVE-2023-4385,CVE-2023-4387,CVE-2023-4389,CVE-2023-4459,CVE-2023-4569,CVE-2023-4623, CVE-2023-4921, CVE-2022-40982, CVE-2022-41804, CVE-2023-20569, CVE-2023-23908)
• Docker (CVE-2022-36109, CVE-2022-29526)
• Go (CVE-2021-44716, CVE-2021-44717, CVE-2022-1705, CVE-2022-1962, CVE-2022-2879, CVE-2022-2880, CVE-2022-24675, CVE-2022-27664, CVE-2022-28131, CVE-2022-29526, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-32190, CVE-2022-41715, CVE-2022-41717)
• bind tools (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)
• binutils (CVE-2021-45078)
• cifs-utils (CVE-2021-20208, CVE-2022-27239, CVE-2022-29869)
• containerd (CVE-2021-43816, CVE-2022-23471, CVE-2022-23648, CVE-2022-24769, CVE-2022-31030)
• cpio (CVE-2021-38185)
• cryptsetup (CVE-2021-4122)
• curl (CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208, CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916, CVE-2022-35252, CVE-2022-43551, CVE-2022-43552)
• dbus (CVE-2022-42010, CVE-2022-42011, CVE-2022-42012)
• duktape (CVE-2021-46322)
• expat (CVE-2022-40674, CVE-2022-43680)
• gcc (CVE-2020-13844)
• git (CVE-2022-23521, CVE-2022-24765, CVE-2022-29187, CVE-2022-39253, CVE-2022-39260, CVE-2022-41903)
• glib (fixes to normal form handling in GVariant)
• gnupg (CVE-2022-34903)
• gnutls (CVE-2021-4209, GNUTLS-SA-2022-01-17, CVE-2022-2509)
• gzip,xz-utils (CVE-2022-1271)
• ignition (CVE-2020-14040, CVE-2021-38561, CVE-2022-1706)
• intel-microcode (CVE-2021-0127, CVE-2021-0146, CVE-2022-21151, CVE-2022-21233)
• krb5 (CVE-2021-37750)
• libarchive (CVE-2021-31566, CVE-2021-36976, CVE-2022-26280, CVE-2022-36227, libarchive-1565, libarchive-1566)
• libksba (CVE-2022-3515, CVE-2022-47629)
• GNU Libtasn1 (Gentoo#866237)
• libtirpc (CVE-2021-46828)
• libxml2 (CVE-2016-3709, CVE-2022-2309, CVE-2022-23308, CVE-2022-29824, CVE-2022-40303, CVE-2022-40304)
• logrotate (CVE-2022-1348)
• multipath-tools (CVE-2022-41973, CVE-2022-41974)
• ncurses (CVE-2022-29458)
• nvidia-drivers (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185)
• oniguruma (oniguruma-20220430)
• OpenSSH (CVE-2021-41617)
• OpenSSL (CVE-2021-4044, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473, CVE-2022-3602, CVE-2022-3786)
• polkit (CVE-2021-4115)
• rsync (CVE-2018-25032, CVE-2022-29154)
• runc (CVE-2022-29162)
• shadow (CVE-2013-4235)
• sudo (CVE-2022-43995, CVE-2023-22809)
• systemd (CVE-2021-3997, CVE-2022-3821, CVE-2022-4415)
• unzip (CVE-2022-0529, CVE-2022-0530, CVE-2021-4217)
• util-linux (CVE-2021-3995, CVE-2021-3996, CVE-2022-0563)
• vim (CVE-2021-3872, CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4173, CVE-2021-4166, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0392, CVE-2022-0393, CVE-2022-0407, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0629, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1160, CVE-2022-1381, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1725, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796, CVE-2022-1897, CVE-2022-1898, CVE-2022-1886, CVE-2022-1851, CVE-2022-1927, CVE-2022-1942, CVE-2022-1968, CVE-2022-2000, CVE-2022-2042, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2182, CVE-2022-2183, CVE-2022-2206, CVE-2022-2207, CVE-2022-2208, CVE-2022-2210, CVE-2022-2231, CVE-2022-2257, CVE-2022-2264, CVE-2022-2284, CVE-2022-2285, CVE-2022-2286, CVE-2022-2287, CVE-2022-2288, CVE-2022-2289, CVE-2022-2304, CVE-2022-2343, CVE-2022-2344, CVE-2022-2345, CVE-2022-2522, CVE-2022-2816, CVE-2022-2817, CVE-2022-2819, CVE-2022-2845, CVE-2022-2849, CVE-2022-2862, CVE-2022-2874, CVE-2022-2889, CVE-2022-2923, CVE-2022-2946, CVE-2022-2980, CVE-2022-2982, CVE-2022-3016, CVE-2022-3099, CVE-2022-3134, CVE-2022-3153, CVE-2022-3234, CVE-2022-3235, CVE-2022-3278, CVE-2022-3256, CVE-2022-3296, CVE-2022-3297, CVE-2022-3324, CVE-2022-3352, CVE-2022-3491, CVE-2022-3520, CVE-2022-3591, CVE-2022-3705, CVE-2022-4141, CVE-2022-4292, CVE-2022-4293, CVE-2023-0049, CVE-2023-0051, CVE-2023-0054)
• zlib (CVE-2018-25032, CVE-2022-37434)
• SDK: edk2-ovmf (CVE-2019-14584, CVE-2021-28210, CVE-2021-28211, CVE-2021-28213)
• SDK: libxslt (CVE-2021-30560)
• SDK: mantle (CVE-2021-3121, CVE-2021-38561, CVE-2021-43565)
• SDK: Python (CVE-2015-20107, CVE-2020-10735, CVE-2021-3654, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061)
• SDK: QEMU (CVE-2020-14394, CVE-2020-35504, CVE-2020-35505, CVE-2020-35506, CVE-2020-35517, CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-20263, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608, CVE-2021-3682, CVE-2021-20203, CVE-2021-3713, CVE-2021-3930, CVE-2021-3947, CVE-2021-4145, CVE-2022-0216, CVE-2022-26353, CVE-2022-26354, CVE-2022-3872, CVE-2022-4172)
• SDK: Rust (CVE-2022-21658, CVE-2022-36113, CVE-2022-36114, CVE-2022-46176)
• SDK: squashfs-tools (CVE-2021-40153, CVE-2021-41072)
• VMware: open-vm-tools (CVE-2022-31676)

Bug fixes:

• Added networkd translation to files section when converting from Ignition 2.x to Ignition 3.x (coreos-overlay#1910, flatcar#741)
• Added a remount action as systemd-sysext.service drop-in unit to restore the OEM partition mount after the overlay mounts in /usr are done (init#69)
• Added back Ignition support for Vagrant (coreos-overlay#2351)
• Added back gettext to the OS (Flatcar#849)
• Added merging of Ignition systemd duplicated units when auto-translating from Ignition 2 to Ignition 3. (coreos-overlay#2187)
• Added support for Openstack for cloud-init activation (flatcar-linux/init#76)
• Added support for hardware security keys in update-ssh-keys (update-ssh-keys#7)
• Enabled IOMMU on arm64 kernels, the lack of which prevented some systems from booting (coreos-overlay#2235)
• Excluded Wireguard interface from systemd-networkd default management (Flatcar#808)
• Excluded the Kubenet cbr0 interface from networkd's DHCP config and set it to Unmanaged to prevent interference and ensure that it is not part of the network online check (init#55)
• Excluded the special Kubernetes network interfaces nodelocaldns and kube-ipvs0 from being managed with systemd-networkd which interfered with the setup (init#89).
• Fix "ext4 deadlock under heavy I/O load" kernel issue. The patch for this is included provisionally while we wait for it to be merged upstream (Flatcar#847, coreos-overlay#2315)
• Fixed Ignition btrfs forced formatting for OEM partition (coreos-overlay#2277)
• Fixed Ignition's OEM ID to be metal to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID pxe was used (bootengine#45)
• Fixed /etc/resolv.conf symlink by pointing it at resolv.conf instead of stub-resolv.conf. This bug was present since the update to systemd v250 (coreos-overlay#2057)
• Fixed a regression (in Alpha/Beta) where machines failed to boot if they didn't have the core user or group in /etc/passwd or /etc/group (baselayout#26)
• Fixed excluded interface type from default systemd-networkd configuration (flatcar-linux/init#78)
• Fixed space escaping in the networkd Ignition translation (Flatcar#812)
• Fixed the dracut emergency Ignition log printing that had a scripting error causing the cat command to fail (bootengine#33)
• Made Ignition write the SSH keys into a file under authorized_keys.d/ignition again and added a call to update-ssh-keys after Ignition ran to create the merged authorized_keys file, which fixes the problem that keys added by Ignition get lost when update-ssh-keys runs (init#66)
• Re-added the brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used (bootengine#40)
• Restored the support to specify OEM partition files in Ignition when /usr/share/oem is given as initrd mount point (bootengine#58)
• Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1723)
• Skipped starting ensure-sysext.service if systemd-sysext.service won't be started, to prevent reporting a dependency failure (Flatcar#710)
• The Ignition v3 kargs directive failed before when used with the generic image where no grub.cfg exists, this was fixed by creating it first (bootengine#47)
• The rootfs setup in the initrd now runs systemd-tmpfiles on every boot, not only when Ignition runs, to fix a dbus failure due to missing files (Flatcar#944)
• flatcar-update: Stopped checking for the USER environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional sudo invocation (init#58)
• network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (init#51, coreos-cloudinit#12, bootengine#30)
• Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (flatcar#1157)
• Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
• AWS: added EKS support for version 1.22 and 1.23. (coreos-overlay#2110, Flatcar#829)- VMWare: excluded wireguard (and others) from systemd-networkd management. (init#80)
• GCP: Restored oem-gce.service functionality on GCP (coreos-overlay#1813)
• GCP: Fixed shutdown script execution (coreos-overlay#1912, flatcar#743)

Changes:

• ARM64: Added cifs-utils for ARM64
• ARM64: Added sssd, adcli and realmd for ARM64
• Added CONFIG_NF_CT_NETLINK_HELPER (for libnetfilter_cthelper), CONFIG_NET_VRF (for virtual routing and forwarding) and CONFIG_KEY_DH_OPERATIONS (for keyutils) to the kernel config (coreos-overlay#1524)
• Added VMware networking configuration in the initramfs via guestinfo settings (bootengine#44, flatcar#717)
• Added CONFIG_NF_CONNTRACK_BRIDGE (for nf_conntrack_bridge) and CONFIG_NFT_BRIDGE_META (for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names (coreos-overlay#2207)
• Added auditd.service but left it disabled by default, a custom configuration can be created by removing /etc/audit/auditd.conf and replacing it with an own file (coreos-overlay#1636)
• Added cryptsetup to the initramfs for the Ignition luks directive (flatcar-linux/coreos-overlay#1760)
• Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (init#53)
• Added efibootmgr binary to the image (coreos-overlay#1955)
• Added symlink from nc to ncat. -q option is not yet supported (flatcar#545)
• Besides Ignition v1 and v2 configurations, Ignition configurations with specification v3 (up to 3.3.0) are now supported, see the docs section for details
• Bring in dependencies for NFS4 with Kerberos both in kernel and userspace. Tested against NFS4.1 server. (coreos-overlay#1664)
• Change CONFIG_WIREGUARD kernel option to module to save space on boot partition (coreos-overlay#2239)
• Disable several arch specific arm64 kernel config options for unsupported platforms to save space on boot partition (coreos-overlay#2239)
• Enabled CONFIG_INTEL_RAPL on AMD64 Kernel config to compile intel_rapl_common module in order to allow power monitoring on modern Intel processors (coreos-overlay#1801)
• Enabled systemd-sysext.service to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service ensure-sysext.service which reloads the systemd units to reevaluate the sockets, timers, and multi-user targets when systemd-sysext.service is (re)started, making it possible to enable units that are part of a sysext image (init#65)
• Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (init#56)
• For amd64 /usr/lib used to be a symlink to /usr/lib64 but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case /usr/lib64 was used to access, e.g., the modules folder or the systemd folder (coreos-overlay#1713, scripts#255)
• Made SELinux enabled by default in default containerd configuration file. (coreos-overlay#1699)
• Removed rngd.service because it is not essential anymore for the kernel to boot fast in VM environments (coreos-overlay#1700)
• Specifying the OEM filesystem in Ignition to write files to /usr/share/oem is not needed anymore (bootengine#58)
• Switched from --strip-unneeded to --strip-debug when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier (coreos-overlay#2196)
• The flatcar-update tool got two new flags to customize ports used on the host while updating flatcar (init#81)
• Toolbox now uses containerd to download and mount the image (toolbox#7)
• Update-engine now creates the /run/reboot-required flag file for kured (update_engine#15)
• flatcar-install: Added option to create UEFI boot entry (init#74)
• Add qemu-guest-agent to all amd64 images, it will be automatically enabled when qemu-ga virtio-port is detected (coreos-overlay#2240, portage-stable#373)
• Add a way to remove packages that are hard-blockers for update. A hard-blocker means that the package needs to be removed (for example with emerge -C) before an update can happen.
• Add support for Microsoft Azure Network Adapter (MANA) NICs on Azure (scripts#1131)
• Defined a systemd-sysext level that sysext images can match for instead of the OS version when they don't have a strong coupling, meaning the only metadata required is SYSEXT_LEVEL=1.0 and ID=flatcar (Flatcar#643)
• Removed the pre-shipped /etc/flatcar/update.conf file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the /use/share/flatcar/update.conf (scripts#212)
• Rework the way we set up the default python intepreter in SDK - it is now without specifying a version. This should work fine as long as we keep having one version of python in SDK.
• Use qcow2 compressed format instead of additional compression layer in Qemu images (Flatcar#1135, scripts#1132)
• AWS: Added AWS IMDSv2 support to coreos-cloudinit (flatcar-linux/coreos-cloudinit#13)
• AWS EC2: Removed the setup of /etc/hostname from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP (Flatcar#707)
• Azure: Azure VHD disks are now created using subformat=fixed, which makes them suitable for immediate upload to Azure using any tool.
• Azure: Set up /etc/hostname from instance metadata with Afterburn
• OpenStack: enabled [email protected] to provision SSH keys from metadata. (Flatcar#817, coreos-overlay#2246)
• VMWare: Added ignition-delete-config.service to remove Ignition config from VM metadata, see also here (coreos-overlay#1948)
• SDK / ARM64: Added go-tspi bindings for ARM64

Updates:

• Linux (5.15.132 (includes 5.15.131, 5.15.130, 5.15.129, 5.15.128, 5.15.127, 5.15.126, 5.15.125, 5.15.124, 5.15.123, 5.15.122, 5.15.121, 5.15.120, 5.15.119, 5.15.118, 5.15.117, 5.15.116, 5.15.115, 5.15.114, 5.15.113, 5.15.112, 5.15.111, 5.15.110, 5.15.109, 5.15.108, 5.15.107, 5.15.106, 5.15.105, 5.15.104, 5.15.103, 5.15.102, 5.15.101, 5.15.100, 5.15.99, 5.15.98, 5.15.97, 5.15.96, 5.15.95, 5.15.94, 5.15.93, 5.15.92, 5.15.91, 5.15.90, 5.15.89, 5.15.88, 5.15.87, 5.15.86, 5.15.85, 5.15.84, 5.15.83, 5.15.82, 5.15.81, 5.15.80, 5.15.79, 5.15.78, 5.15.77, 5.15.76, 5.15.75, 5.15.74, 5.15.73, 5.15.72, 5.15.71, 5.15.70, 5.15.69, 5.15.68, 5.15.67, 5.15.66, 5.15.65, 5.15.64, 5.15.63, 5.15.62, 5.15.61, 5.15.60, 5.15.59, 5.15.58, 5.15.57, 5.15.56, 5.15.55, 5.15.54, 5.15.53, 5.15.52, 5.15.51, 5.15.50, 5.15.49, 5.15.48, 5.15.47, 5.15.46, 5.15.45, 5.15.44, 5.15.43, 5.15.42, 5.15.41, 5.15.40, 5.15.39, 5.15.38, 5.15.37, 5.15.36, 5.15.35, 5.15.34, 5.15.33, 5.15.32, 5.15.31, 5.15.30, 5.15.29, 5.15.28, 5.15.27, 5.15.26, 5.15.25, 5.15.24, 5.15.23, 5.15.22, 5.15.21, 5.15.20, 5.15.19, 5.15.18, 5.15.17, 5.15.16, 5.15.15, 5.15.14, 5.15.13, 5.15.12, 5.15.11, 5.15.10, 5.15.9, 5.15.8, 5.15.7, 5.15.6, 5.15.5, 5.15.4))
• Linux Firmware (20230117 (includes 20221214, 20221109, 20221012, 20220913, 20220815, 20220708, 20220610, 20220509, 20220411, 20220310, 20220209))
• Linux Headers (5.15)
• Go (1.19.5 (includes 1.19.4, 1.19.3, 1.18.10, 1.18.9, 1.18.7, 1.18.6, 1.18.4, 1.18.2, 1.17.9))
• Docker (20.10.23 (includes 20.10.22, 20.10.21, 20.10.20, 20.10.18, 20.10.17, 20.10.16, 20.10.15, 20.10.14, 20.10.13))
• acl (2.3.1)
• new: acpid (2.0.33)
• adcli (0.9.2 (includes 0.9.1))
• afterburn (5.2.0)
• attr (2.5.1)
• audit (3.0.6)
• automake (1.16.5)
• bind tools (9.16.36 (includes 9.16.35, 9.16.34, 9.16.33, 9.16.27))
• binutils (2.39 (includes 2.38))
• boost (1.79 (includes 1.76.0))
• bpftool (5.19.12 (includes 5.19.8, 5.19.2, 5.18.11, 5.15.8))
• bridge-utils (1.7.1)
• btrfs-progs (5.15.1)
• ca-certificates (3.93 (includes 3.90, 3.78))
• cifs-utils (6.15 (includes 6.13))
• conntrack-tools (1.4.6)
• containerd (1.6.16 (includes 1.6.15, 1.6.14, 1.6.13, 1.6.12, 1.6.10, 1.6.9, 1.6.8, 1.6.7, 1.6.6, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0))
• coreutils (8.32)
• cpio (2.13)
• cri-tools (1.24.2)
• cryptsetup (2.4.3)
• curl (7.87.0 (includes 7.86, 7.85, 7.84.0, 7.83.1))
• Cyrus SASL (2.1.28)
• dbus (1.14.4 (includes 1.12.22))
• diffutils (3.8)
• dosfstools (4.2)
• duktape (2.7.0)
• e2fsprogs (1.46.5 (includes 1.46.4))
• elfutils (0.188 (includes 0.187, 0.186))
• ethtool (5.10)
• expat (2.5.0 (includes 2.4.9))
• findutils (4.8.0)
• gawk (5.2.1 (contains 5.2.0))
• gcc (11.3.0 (includes 10.3.0, 9.4.0))
• gdb (11.2)
• gdbm (1.22)
• gettext (0.21.1 (includes 0.21))
• git (2.39.1 (includes 2.39.0, 2.38.3, 2.37.4, 2.37.3, 2.37.1, 2.35.3))
• glib (2.74.4 (includes 2.74.1, 2.72.3, 2.68.4))
• glibc (2.36 (includes 2.35, 2.34))
• gnupg (2.2.35)
• gnutls (3.7.8 (includes 3.7.7, 3.7.3))
• grep (3.7)
• gzip (1.12 (includes 1.11))
• i2c-tools (4.3 (includes 4.2))
• ignition (2.14.0 (includes 2.13.0))
• intel-microcode (20220809 (includes 20220510, 20220207_p20220207, 20221108))
• iperf (3.10.1)
• iproute2 (5.15)
• ipset (7.11)
• iptables (1.8.8)
• iputils (20211215 (includes 20210722))
• ipvsadm (1.27)
• jansson (2.14)
• kmod (29)
• ldb (2.4.1)
• less (590)
• libarchive (3.6.1 (includes 3.5.3, 3.5.2))
• libbsd (0.11.3)
• libcap (2.66 (includes 2.65))
• libcap-ng (0.8.3 (includes 0.8.2))
• libksba (1.6.3 (includes 1.6.2))
• libnetfilter_queue (1.0.5)
• libpcap (1.10.1)
• libseccomp (2.5.4 (contains 2.5.3, 2.5.2, 2.5.1))
• libtasn1 (4.19.0 (includes 4.17.0))
• liburing (2.1)
• libxml2 (2.10.3 (includes 2.10.2, 2.9.14, 2.9.13))
• logrotate (3.20.1)
• lshw (02.19.2b_p20210121)
• lsof (4.94.0)
• lsscsi (0.32)
• mantle (0.18.0 (includes 0.17.0))
• mdadm (4.2)
• MIT Kerberos V (1.20.1)
• multipath-tools (0.9.3 (includes 0.8.7))
• ncurses (6.3_p20220423)
• nettle (3.8.1)
• nfs-utils (2.5.4)
• nghttp2 (1.45.1)
• nmap (7.93)
• nvidia-drivers (510.73.05)
• nvme-cli (1.16)
• oniguruma (6.9.8 (includes 6.9.7.1))
• open-isns (0.101)
• openssh (9.1 (includes 8.8))
• openssl (3.0.7 (includes 3.0.3, 3.0.2, 3.0.1))
• pam (1.5.1_p20210622)
• pambase (20220214)
• parted (3.4 (includes 3.3))
• pciutils (3.7.0)
• pcre2 (10.39)
• pinentry (1.2.0)
• polkit (121 (includes 0.120))
• quota (4.06)
• rpcbind (1.2.6)
• rsync (3.2.7 (includes 3.2.6, 3.2.4))
• runc (1.1.4 (includes 1.1.3, 1.1.2, 1.1.1, 1.1.0))
• samba (4.15.4)
• sed (4.8)
• shadow (4.13 (includes 4.12.3, 4.11.1))
• socat (1.7.4.3)
• sqlite (3.40.1 (contains 3.40.0, 3.39.4, 3.38.1))
• strace (5.19)
• sudo (1.9.12_p2 (includes 1.9.12_p1, 1.9.10))
• systemd (252.11 (includes 252.5, 252, 251.10, 251, 250.7, 250.3, 249.7))
• talloc (2.3.3)
• tcpdump (4.99.1)
• tevent (0.11.0)
• thin-provisioning-tools (0.9.0)
• timezone-data (2021a)
• unzip (6.0_p27 (includes 6.0_p26))
• usbutils (014)
• util-linux (2.37.4)
• vim (9.0.1157 (includes 9.0.1000, 9.0.0828, 9.0.0655, 9.0.0469, 8.2.5066, 8.2.4328, 8.2.3582))
• wget (1.21.3)
• whois (5.5.14 (includes 5.5.13, 5.5.11))
• wireguard-tools (1.0.20210914)
• xfsprogs (5.14.2)
• xz-utils (5.4.1 (includes 5.4.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6))
• zlib (1.2.13 (includes 1.2.12))
• GCE: google-compute-image-packages (20190124)
• OEM: distro (1.7.0)
• OEM: libmspack (0.10.1_alpha)
• OEM: python (3.9.16 (includes 3.9.12, 3.9.8))
• SDK: bison (3.8.2)
• SDK: boost (1.81.0)
• SDK: catalyst (3.0.21)
• SDK: cmake (3.23.3)
• SDK: edk2-ovmf (202105)
• SDK: file (5.44 (includes 5.43, 5.40))
• SDK: gcc-config (2.5)
• SDK: iasl (20200717)
• SDK: ipxe (1.21.1)
• SDK: kexec-tools (2.0.22)
• SDK: libpng (1.6.39 (includes 1.6.38))
• SDK: libtool (2.4.7)
• SDK: libxslt (1.1.37 (includes 1.1.35))
• SDK: man-db (2.9.4)
• SDK: man-pages (5.12-r2)
• SDK: meson (0.62.2)
• SDK: netperf (2.7.0)
• SDK: ninja (1.11.0)
• SDK: pahole (1.23)
• SDK: perl (5.36.0 (includes 5.34.1, 5.15))
• SDK: pkgconf (1.8.0)
• SDK: portage (3.0.43 (includes 3.0.42, 3.0.41))
• SDK: Python (3.9.12 (includes 3.9.8))
• SDK: qemu (7.2.0 (includes 7.1.0, 7.0.0, 6.1.0))
• SDK: Rust (1.67.0 (includes 1.66.1, 1.66.0, 1.65.0, 1.64.0, 1.63.0, 1.62.1, 1.62.0, 1.61.0, 1.60.0, 1.59.0, 1.58.1, 1.57.0))
• SDK: sbsigntools (0.9.4)
• SDK: seabios (1.14.0)
• SDK: sgabios (0.1_pre10)
• SDK: squashfs-tools (4.5_p20210914)
• VMware: open-vm-tools (12.1.5 (includes 12.1.0, 12.0.5, 12.0.0))