Announcing new releases Alpha 4372.0.0, Beta 4344.1.0, Stable 4230.2.0

51 views
Skip to first unread message

Flatcar Container Linux User

unread,
Jun 25, 2025, 5:29:30 AMJun 25
to Flatcar Container Linux User

Hello,

We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable channel.

Alpha 4372.0.0

Changes since Alpha 4344.0.0

Security fixes: Bug fixes:
  • Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)
Changes:
  • Added support for podman in toolbox (toolbox#11)
  • /boot is now only accessible by the root user for better security. (Flatcar#296)
  • sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)
Updates:

--

Beta 4344.1.0

Changes since Beta 4230.1.1

Security fixes: Bug fixes:
  • Added back some BCC tools (scripts#2900)
  • Fix non-conforming GPT partition table (flatcar/Flatcar#1651)
  • Fixed path handling in the QEMU .sh launcher scripts. Given paths now are relative to the current directory and absolute paths work as you would expect.
  • Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)
  • Fixed the inclusion of Intel and AMD CPU microcode in the initrd. This was accidentally dropped some time ago.
  • azure: Fixed issue of wa-linux-agent overriding ssh public key from ignition configuration during provisioning (flatcar/Flatcar#1661)
  • update-ssh-keys: More intuitive --help text and the -n (no-replace) option has been fixed. (flatcar/Flatcar#1554)
Changes:
  • Add changes for our secureboot signed images with our signed release process until the official shim signing (scripts#2754)
  • Added nftables-load.service and nftables-store.service services to load/store rules from/in /var/lib/nftables/rules-save (Flatcar#900)
  • Added support for podman in toolbox (toolbox#11)
  • Allow per-sysext USE flags and architecture-specific sysexts. (scripts#2798)
  • Always truncate hostnames on the first occurrence of . (cloud-init#32)
  • Build Intel iGPU i915 driver as module (scripts#2349)
  • Compile OS-dependent NVIDIA kernel module sysexts signed for secure boot. (scripts#2798)
  • Enabled EROFS module with XATTR support (Flatcar#1659)
  • Enabled virtiofs and fuse-dax modules in the kernel for advaned Qemu usecases. Thank you @aaronk6! (Flatcar#2825)
  • Ensure hostnames never exceeds 63 characters, regardless of the metadata provider (cloud-init#31)
  • Provided an Incus Flatcar extension as optional systemd-sysext image with the release. Write 'incus' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. (scripts#1655)
  • Sign out-of-tree kernel modules using the ephemeral signing key so that ZFS and NVIDIA sysexts can work with secure boot. (scripts#2636)
  • The kernel image and its embedded initrd are now compressed with xz rather than zstd. This gives greater compression at the cost of decompression performance. Systems may therefore now be ever so slightly slower to boot, but this was necessary to avoid running out of space in the /boot partition. Further measures to address the space issue are planned, and perhaps we can switch back to zstd in a later release.
  • The qemu script (flatcar_production_qemu*.sh) received two new options. -D (or -image-disk-opts) can be used to add extra options to the virtio-blk-pci device for primary disk. -d (or -disk) can be used to add extra disks to the machine - this one takes a path to a raw or qcow2 image file and, after a comma, virtio-blk-pci options. To learn what disk options can be passed to -D or -d, call qemu-system-x86_64 -device virtio-blk-pci,help (qemu-system-aarch64 can be used too).
  • /boot is now only accessible by the root user for better security. (Flatcar#296)
  • sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)
  • systemd now uses OpenSSL instead of gcrypt for cryptography to reduce the size of the initrd. This change disables systemd-journal's Forward Secure Sealing feature, but it is generally not useful for Flatcar.
Updates:

Changes since Alpha 4344.0.0

Security fixes: Bug fixes:
  • Fixed race condition in the script that grows the root partition to fill the disk. This bug sometimes caused the operation to not occur. (init#132)
Changes:
  • Added support for podman in toolbox (toolbox#11)
  • /boot is now only accessible by the root user for better security. (Flatcar#296)
  • sysext-incus: removed /etc/subuid and /etc/subgid generation for root user, it has to be created through initial provisioning. (scripts#3028)
Updates:

--

Stable 4230.2.0

Changes since Stable 4152.2.3

Security fixes: Bug fixes:
  • Fixed PXE boot failures that arose since upgrading to systemd v256. Users were dumped to an emergency shell. (flatcar/bootengine#103)
  • Fixed creating netdev arguments to correctly include commas when no port forwards are passed (flatcar/scripts#2581)
  • The kernel module build directory now contains native binaries in arm64 images instead of the previous amd64 binaries (scripts#2694)
  • Nvidia driver installer service now supports the 570 driver branch by forcing the use of the proprietary kernel module. The 570 branch defaults to the kernel-open driver which requires loading firmware, which is not yet supported on Flatcar. (scripts#2694)
  • Added back some BCC tools (scripts#2900)
Changes:
  • Added support for ARM64 architecture in the NVIDIA driver installer service (scripts#2694)
  • Added support for multiple port forwarding parameters in the QEMU startup script. Users can now specify multiple port forwards using the -f option. (flatcar/scripts#2575)
  • Additional GRUB modules are no longer installed for UEFI platforms to save space and also because they cannot be loaded with Secure Boot enabled. This does not affect existing installations.
  • The GRUB modules on non-UEFI platforms are now compressed with xz rather than gzip to save even more space. This does not affect existing installations.
  • The VFIO kernel modules are now also available in ARM64 builds. (flatcar/scripts#2484)
  • Enabled the gtp kernel module. This is the GPRS Tunneling Protocol datapath for usage in telecoms scenarios. (flatcar/scripts#2504)
Updates:

Changes since Beta 4230.1.1

Security fixes: Bug fixes: Updates:

Best,

The Flatcar Container Linux Maintainers


Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages