v3.2.1

What's Changed

✨ Improvements

• Show sources in config string by @jimmykarily in kairos-io/kairos-agent#550
  • Now when checking the configs you will see the sources uses to generate them
• Expose the Analize method of kairos-agent run-stage by @Itxaka in kairos-io/kairos-agent#548
  • now kairos-agent runstage can be run with the flag --analyze or -a to only show what steps would be run from a given stage and in the order they will be run.
• Accept more paths to devices for install by @Itxaka in kairos-io/kairos-agent#552
  • Now the install target accepts devices identified by /dev/disk/by-{uuid,label,path,diskseq}

⬆️ Dependencies

• Bump framework to v2.12.4 by @Itxaka in #2915

🐛 Fixed bugs

• Add missing binary to nvidia images by @Itxaka in #2918
• Dracut immucore should fatal if binaries are missing in #2692
• Alpine initrd should mount the livecd under /run/initramfs/live in #2912
• systemd-networkd-wait-online fails with multiple ethernet where one or more is disconnected in #2898
• AuroraBoot doesn't copy cloud config file in #2876
• Fix partitioner not identifying mmc/nvme partitions by @Itxaka in kairos-io/kairos-agent#563
• Fix reset by @Itxaka in kairos-io/kairos-agent#565
• Fix mkfs using the wrong label for the fs label by @Itxaka in kairos-io/kairos-agent#556

🤖 CI related

• Revert the trivy DB changes by @Itxaka in #2889
• Cache trivy by @jimmykarily in #2910
• Cache trivy in one more pipeline by @jimmykarily in #2913
• Cache even more trivy by @jimmykarily in #2914
• Install arm64 earthly by @Itxaka in #2916

Full Changelog: v3.2.0...v3.2.1

v3.2.1-rc1

What's Changed

• 🤖 Revert the trivy DB changes by @Itxaka in #2889
• Cache trivy by @jimmykarily in #2910
• Cache trivy in one more pipeline by @jimmykarily in #2913
• Cache even more trivy by @jimmykarily in #2914
• Install arm64 earthly by @Itxaka in #2916
• ⬆️ Bump framework by @Itxaka in #2915
• 🐛 Add missing binary to nvidia images by @Itxaka in #2918

Full Changelog: v3.2.0...v3.2.1-rc1

v3.2.0

This is a "milestone" release as is signifies the completeness of a set of planned stories. You can see what was planned for the v3.2.0 release in the relevant ticket: #2052

What's Changed

• Fixed recovery reset (kairos-io/kairos-agent#565)
• Make it possible to refer to disks using labels and ids (device names was the only option up to now) (kairos-io/kairos-agent#563, kairos-io/kairos-agent#558, kairos-io/kairos-agent#552)
• Make the kairos-agent skip yip config directories when parsing for installation/upgrade/reset configuration and allow users to override built-in configuration using datasource by parsing /oem last (kairos-io/kairos-agent#562)
• Show merged configs as a comment in the final kairos config and when running kairos-agent config command (kairos-io/kairos-agent#550)
• Expose the "analyze" method of yip in the kairos-agent run-stage command (kairos-io/kairos-agent#548)
• Update aquasec/trivy Docker tag to v0.55.2 by @renovate in #2867
• Update github/codeql-action action to v3.26.8 by @renovate in #2873
• 🤖 Allow testing provider dev versions by @Itxaka in #2870
• 🐛 Do not bindly install all tpm2 tools by @Itxaka in #2884
• Store logs on earthly by @Itxaka in #2880
• :Robot: Cache triby DB before running the build by @Itxaka in #2885
• Bump framework by @Itxaka in #2891
• Test selecting disk by uuid+label by @Itxaka in #2877
• Don't run both rngd and haveged by @jimmykarily in #2890
• 🤖 Add missing secrets: inherit by @Itxaka in #2897
• Update quay.io/kairos/framework Docker tag to v2.12.1 by @renovate in #2902

Full Changelog: v3.1.3...v3.2.0

v3.2.0-rc1

See the v3.2.0 release notes - This was an rc

v3.1.3

Release highlights:

• In the previous release, we introduced a fix for the broken permissions of the user's home directory. It turned out that the fix only applied to users created by the top level users: key in the Kairos configuration file. In this release, users created in various stages will also get their home directory permissions fixed. If for some reason, you don't want the script to recursively fix the home directory permissions, you can create a sentinel file to skip the fix and apply it on your own as you see fit.
• Fixed an issue where we didn't calculate the upgrade image size and the always created an image with the default size (#2818)
• Fixed an issue in Kairos upgrades through Kuberentes, where various host directories were also used in image size calculation (kairos-io/kairos-agent#537)
• We now display the webui url below the QR code to avoid people having to plug a keyboard just to find the IP address of the node (#2826)
• Fixed a bug in Alpine flavors where we passed the edgevpn arguments in the openrc service file wrongly (#2789)
• Lots of version bumps on dependencies (mostly automated).

Known Issues

• [Carry over from previous releases] RPi EFI booting no longer supported on kernels shipped with Ubuntu 24.04+ #2249

What's Changed

• Add permissions to generic arm release pipeline by @mauromorales in #2840
• Update tj-actions/changed-files action to v45 by @renovate in #2816
• Add upgrade uki test by @jimmykarily in #2776
• Update dependency go to v1.23.1 by @renovate in #2845
• Generate relative paths to files by @jimmykarily in #2846
• 🤖 Make arm64 workers use docker mirror by @Itxaka in #2850
• 🐛 Fix wifi cloud-config example by @jimmyjones2 in #2820
• 📖 Add alpine wifi cloud-config by @jimmyjones2 in #2819
• Update anchore/grype Docker tag to v0.80.1 by @renovate in #2852
• Update aquasec/trivy Docker tag to v0.55.0 by @renovate in #2781
• Update aquasec/trivy Docker tag to v0.55.1 by @renovate in #2854
• Update github/codeql-action action to v3.26.6 by @renovate in #2799
• Fix test printing old value for debugging by @jimmykarily in #2855
• Update google/osv-scanner-action action to v1.8.5 by @renovate in #2853
• Update quay.io/kairos/framework Docker tag to v2.11.5 by @renovate in #2856
• Update github/codeql-action action to v3.26.7 by @renovate in #2858
• Update quay.io/kairos/framework Docker tag to v2.11.7 by @renovate in #2859
• Split the uploading of trivy and grype results by @jimmykarily in #2860

New Contributors

• @jimmyjones2 made their first contribution in #2820

Full Changelog: v3.1.2...v3.1.3

v3.1.2

⚠️ The following issues have been resolved, so it is safe to upgrade again:

Kairos user ids change on upgrade, breaking ssh login #2797
Long duration hang during boot #2802

What's Changed

• 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
• 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
• 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
• 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808

Full Changelog: v3.1.1...v3.1.2

v3.1.2-rc1

What's Changed

• Update softprops/action-gh-release action to v2.0.8 by @renovate in #2751
• Update manual tests by @mauromorales in #2747
• Update github/codeql-action action to v3.25.13 by @renovate in #2750
• Remove ubuntu 23.10 from the pipelines by @jimmykarily in #2756
• Update tj-actions/changed-files digest to 6b2903b by @renovate in #2746
• Update github/codeql-action digest to 2d79040 by @renovate in #2749
• Update docker/login-action digest to 9780b0c by @renovate in #2754
• Run arm jobs under arm workers by @Itxaka in #2757
• Update github/codeql-action action to v3.25.14 by @renovate in #2763
• Update module github.com/onsi/ginkgo/v2 to v2.19.1 by @renovate in #2768
• Update github/codeql-action action to v3.25.15 by @renovate in #2767
• Add manual test for edgevpn setup by @jimmykarily in #2771
• 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
• Update ossf/scorecard-action action to v2.4.0 by @renovate in #2769
• Update docker/setup-buildx-action digest to 988b5a0 by @renovate in #2755
• Update github/codeql-action digest to afb54ba by @renovate in #2762
• Update renovate/renovate Docker tag to v38 by @renovate in #2765
• Update module github.com/onsi/gomega to v1.34.1 by @renovate in #2764
• 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
• Update tj-actions/changed-files digest to c65cd88 by @renovate in #2780
• Update quay.io/luet/base Docker tag to v0.35.4 by @renovate in #2783
• 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
• Update actions/upload-artifact digest to 89ef406 by @renovate in #2786
• Update actions/upload-artifact action to v4.3.5 by @renovate in #2787
• 🔧 Allow testing overlya files branches by @Itxaka in #2791
• Update module github.com/mudler/edgevpn to v0.27.0 by @renovate in #2803
• Update actions/upload-artifact action to v4.3.6 by @renovate in #2795
• Update google/osv-scanner-action action to v1.8.3 by @renovate in #2801
• Update dependency go to v1.23.0 by @renovate in #2796
• Update module github.com/mudler/edgevpn to v0.27.2 by @renovate in #2812
• Update github.com/mudler/go-processmanager digest to 8b802d3 by @renovate in #2811
• 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808
• Update module github.com/onsi/ginkgo/v2 to v2.20.1 by @renovate in #2815
• Update module github.com/mudler/edgevpn to v0.27.3 by @renovate in #2814
• Update google/osv-scanner-action action to v1.8.4 by @renovate in #2817
• Update module github.com/mudler/edgevpn to v0.27.4 by @renovate in #2822
• Update module github.com/onsi/ginkgo/v2 to v2.20.2 by @renovate in #2829
• Update quay.io/luet/base Docker tag to v0.35.5 by @renovate in #2831
• Update module github.com/onsi/gomega to v1.34.2 by @renovate in #2830

Full Changelog: v3.1.1...v3.1.2-rc1

v3.1.1

Upgrade issues

Be advised that there is currently an issue when upgrading from 3.0.x to 3.1.x in which the user ids will change. This will result in any files owned by the user under its /home directory to lose permissions which can lead to not being able to ssh (ssh keys will have a different user id)

We are currently working on a workaround, so you are advised to not upgrade until 3.1.2 is released with a fix for this.

What's Changed

Bug fixes 🐛

• Disable make cache timer on fedora by @Itxaka in #2717
• It's not possible to login on an Alpine 3.19 RPi fixed by @Itxaka #2439
• Expired password on system with no rtc (e.g. rpi4) on Alpine fixed by @Itxaka #1994
• cgroup_memory not mounted in Alpine rpi4 fixed by @Itxaka #2002
• reset from the GRUB menu on alpine, gets stuck in an endless loop @Itxaka #2136

Known Issues

• RPi EFI booting no longer supported on kernels shipped with Ubuntu 24.04+ #2249

Full Changelog: v3.1.0...v3.1.1

v3.1.0

Upgrade issues

Be advised that there is currently an issue when upgrading from 3.0.x to 3.1.x in which the user ids will change. This will result in any files owned by the user under its /home directory to lose permissions which can lead to not being able to ssh (ssh keys will have a different user id)

We are currently working on a workaround, so you are advised to not upgrade until 3.1.2 is released with a fix for this.

Potential Breaking Changes

By default, Uki artifacts (identified by the -uki suffix) no longer include Linux modules and firmware in the image. Real-world testing has shown that many EFI firmwares are very particular about the size of the EFI image, often refusing to boot if the file exceeds 300-400MB. Given the wide variety of EFI firmware implementations, predicting whether a UKI EFI file will boot on different hardware is challenging.

To enhance compatibility, we decided to slim down the UKI files by removing the largest components: the Linux modules and firmware packages. This results in EFI files around 200-300MB, which are much more likely to boot correctly across various EFI implementations.

However, this change comes with a trade-off. Smaller images, while being more compatible with a wide range of EFI firmwares, may lack comprehensive hardware support because they do not include all the Linux modules and firmware packages. This means that certain hardware components may not function correctly or optimally when using these slimmer UKI images.

On the other hand, larger UKI images, which include all necessary modules and firmware for extensive hardware support, provide better functionality and compatibility with a broad range of hardware. However, these larger images are more likely to encounter boot issues due to EFI firmware limitations, as many EFI implementations refuse to boot files larger than 300-400MB.

We publish -uki artifacts ourselves, which are the slimmed versions, as examples of how to build a slimmer UKI artifact. While these serve as a reference, we recommend always building your own custom images to tailor them to your specific hardware needs. If you need to include those packages for full hardware support, you can create a custom artifact to add them back, as detailed in the Kairos docs.

We recommend keeping your UKI EFI files as small as possible to maximize boot success across different EFI firmware implementations. While smaller images offer better compatibility, they may lack full hardware support. Conversely, larger images, which include all necessary modules and firmware, provide comprehensive hardware support but may fail to boot due to EFI firmware constraints.

Check out how to build your own base images with the Kairos Factory

What's Changed

💿 UKI

• UKI: measured systemd-sysext by @Itxaka #2117
• UKI: Verify images signature before upgrade by @Itxaka #2200
• UKI: Enroll keys during setup #2048
• Install limited amount of modules for UKI Ubuntu by @mauromorales in #2566

🐧

• Support for Ubuntu 24.04 LTS by @mauromorales #2138 and deprecation of 23.10
• Support for Fedora 40 by @Itxaka in #2502 and deprecation of previous versions
• refactor debian dockerfile to build arm by @mauromorales in #2542
• Bump opensuse Leap to 15.6 by @mauromorales in #2623

🐛

• fix(nvidia): do not ship nohang in nvidia-arm builds by @mudler in #2433
• Allow https protocol in ipxe by @jimmykarily in #2468
• fix(orin): disable ISCSI in the initramfs generation by @mudler in #2474
• 🐛 Move nfs-utils to common build target in opensuse flavor by @kaiehrhardt in #2495
• 🐛 Install cryptsetup for all arches in opensuse by @Itxaka in #2691

📖

• 📖 chore: fix typos by @xiaoxianBoy in #2441
• readme: add links to project governance by @mudler in #2498
• Update LICENSE by @mudler in #2503
• Add OpenSSF best practices badge by @mauromorales in #2639
• Add clomonitor badge by @mauromorales in #2640
• Link to GH Security Draft Advisory form by @mauromorales in #2650

🔧

• More options for enki outputs by @Itxaka in #2515

New Contributors

• @xiaoxianBoy made their first contribution in #2441

Full Changelog: v3.0.14...v3.1.0

v3.1.0-rc2

What's Changed

• Define permissions following the principle of least privilege by @mauromorales in #2676
• Add osv scanning for PRs by @mauromorales in #2678
• Add missing permissions on master pipeline by @mauromorales in #2687
• Update robinraju/release-downloader action to v1.11 by @renovate in #2685
• Update github/codeql-action action to v3.25.11 by @renovate in #2683
• Update google/osv-scanner-action action to v1.8.1 by @renovate in #2684
• Update aquasec/trivy Docker tag to v0.53.0 by @renovate in #2612
• Add permissions to reusable-provider-tests by @mauromorales in #2688
• Update github/codeql-action digest to b611370 by @renovate in #2681
• 🐛 Install cryptsetup for all arches in opensuse by @Itxaka in #2691
• Update framework by @Itxaka in #2695

Full Changelog: v3.1.0-rc1...v3.1.0-rc2