Announcing new LTS-2022 release 3033.3.0

[Flatcar Container Linux User]

Hello,

We are pleased to announce the first release of the Flatcar Container Linux LTS-2022 channel, based on the Stable release with major version 3033. It is publicly available,
just like the Stable channel.

The LTS-2021 channel will get critical security updates for the next 6 months but not on a regular cadence. Users are encouraged to switch to the LTS-2022 channel. For those following the standard update server, this means switching the GROUP entry in "/etc/flatcar/update.conf" from "lts-2021" to "lts-2022". The GROUP entry "lts" will automatically point to the latest LTS channel and no action is needed in this case.

New LTS-2022 Release 3033.3.0

Changes since LTS-2021 2605.27.1

Update to CGroupsV2: Flatcar Container Linux migrates to the unified cgroup hierarchy (aka cgroups v2)! New nodes will utilize cgroups v2 by default. Existing nodes remain on cgroups v1 and need to be manually migrated to cgroups v2. To learn more about the cgroups v2 on Flatcar Container Linux and the migration guide, please refer to https://flatcar-linux.org/docs/latest/container-runtimes/switching-to-unified-cgroups/

Other notable changes: cri-tools and lbzip2 got added, PAM tally2 got replaced by PAM faillock, only a single Docker version is now shipped (20.10), and rkt, kubelet-wapper, dhcpcd, and containerd-stress got removed.

Security fixes:

(Note: Not all fixed issues may have been present in the old versions)

• Linux (CVE-2020-27170, CVE-2020-25220, CVE-2020-27171, CVE-2020-35499, CVE-2022-0286, CVE-2022-0516, CVE-2021-3411, CVE-2021-3489, CVE-2021-3490, CVE-2021-3491, CVE-2021-3501, CVE-2021-3543, CVE-2021-4001, CVE-2021-4028, CVE-2021-4204, CVE-2021-20268, CVE-2021-22600, CVE-2021-26708, CVE-2021-28039, CVE-2021-28691, CVE-2021-28952, CVE-2021-29266, CVE-2021-29646, CVE-2021-29649, CVE-2021-29657, CVE-2021-34866, CVE-2021-38166, CVE-2021-38206, CVE-2021-38207, CVE-2021-38209, CVE-2021-31440, CVE-2021-41073, CVE-2021-42327, CVE-2021-45402, CVE-2021-43267, CVE-2021-46283, CVE-2022-0847)
• systemd (CVE-2020-13529, CVE-2021-3997, CVE-2021-33910)
• Docker (CVE-2021-21284, CVE-2021-21285, CVE-2021-41089, CVE-2021-41091, CVE-2021-41092)
• containerd (CVE-2020-15257, CVE-2021-21334, CVE-2021-32760, CVE-2021-41103, CVE-2021-43816, CVE-2022-23648, CVE-2022-24769)
• Docker, containerd (CVE-2021-41190)
• glibc (CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2021-3998, CVE-2021-3999, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942, CVE-2021-38604, CVE-2022-23218, CVE-2022-23219)
• Go (CVE-2020-28362, CVE-2020-28366, CVE-2020-28367, CVE-2021-27918, CVE-2021-27919, CVE-2021-29923, CVE-2021-31525, CVE-2021-33195,CVE-2021-33196,CVE-2021-33197,CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-38297, CVE-2021-39293, CVE-2021-44716, CVE-2021-44717, CVE-2021-41771, CVE-2021-41772, CVE-2022-23772, CVE-2022-23773, CVE-2022-23806, CVE-2022-24921)
• bash (CVE-2019-9924, CVE-2019-18276)
• binutils (CVE-2021-20197, CVE-2021-3487, CVE-2021-3530, CVE-2021-3549)
• boost (CVE-2012-2677)
• bsdiff CVE-2014-9862
• bzip2 (CVE-2019-12900)
• curl (CVE-2021-22876, CVE-2021-22890, CVE-2021-22898, CVE-2021-22901, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
• c-ares (CVE-2020-8277, CVE-2021-3672)
• ca-certificates (CVE-2021-43527)
• cifs-utils (CVE-2020-14342)
• coreutils (CVE-2017-7476)
• dbus (CVE-2020-35512)
• expat (CVE-2013-0340, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315)
• gettext (CVE-2020-12825)
• git (CVE-2021-21300, CVE-2021-40330)
• glib (CVE-2019-12450, CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
• gnupg (CVE-2020-25125)
• gnutls (CVE-2021-20231, CVE-2021-20232)
• gptfdisk (CVE-2021-0308)
• ignition (CVE-2020-14040)
• intel-microcode (CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698, CVE-2020-24489, CVE-2020-24511, CVE-2020-24513)
• libgcrypt (CVE-2021-33560, CVE-2021-40528)
• libpcre (CVE-2019-20838, CVE-2020-14155)
• libuv (CVE-2021-22918)
• libxml2 (CVE-2020-24977, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3541)
• lz4 (CVE-2021-3520)
• mit-krb5 (CVE-2021-36222)
• ncurses (CVE-2019-17594, CVE-2019-17595)
• nettle (CVE-2021-20305, CVE-2021-3580)
• ntp (CVE-2018-8956, CVE-2020-11868, CVE-2020-13817, CVE-2020-15025)
• nvidia-drivers (CVE-2022-21813, CVE-2022-21814)
• open-iscsi (CVE-2017-17840)
• openssl (CVE-2021-3449, CVE-2021-3450, CVE-2022-0778)
• openldap (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-27212)
• pam CVE-2020-27780
• polkit (CVE-2021-3560, CVE-2021-4034)
• runc (CVE-2021-30465)
• samba (CVE-2019-3880, CVE-2019-10197, CVE-2019-10218, CVE-2020-10704, CVE-2020-10745, CVE-2020-14318, CVE-2020-14323, CVE-2020-14383)
• shadow (CVE-2019-19882)
• sqlite (CVE-2021-20227)
• sssd (CVE-2018-16838, CVE-2018-16883, CVE-2019-3811, CVE-2021-3621)
• tar (CVE-2021-20193)
• trousers (CVE-2020-24330, CVE-2020-24331)
• util-linux (CVE-2021-37600)
• vim (CVE-2021-3770, CVE-2021-3778, CVE-2021-3796)
• zstd (CVE-2021-24032)
• SDK: bison (CVE-2020-14150, CVE-2020-24240)
• SDK: dnsmasq (CVE-2021-3448, CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
• SDK: perl (CVE-2020-10878)
• SDK: qemu (CVE-2020-10717, CVE-2020-13754, CVE-2020-15859, CVE-2020-15863, CVE-2020-16092, CVE-2020-25741, CVE-2020-25742, CVE-2020-25743)
• SDK: Rust (CVE-2020-36323, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162)

Bug fixes:

• The Torcx profile docker-1.12-no got fixed to reference the current Docker version instead of 19.03 which wasn't found on the image, causing Torcx to fail to provide Docker (coreos-overlay#1456)
• Ensured that the /run/xtables.lock coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the iptables-legacy binaries on the host (init#57)
• SDK: Fixed build error popping up in the new SDK Container because policycoreutils used the wrong ROOT to update the SELinux store (coreos-overlay#1502)
• Fixed leak of SELinux policy store to the root filesystem top directory due to wrong store path in policycoreutils instead of /var/lib/selinux (flatcar-linux/Flatcar#596)
• Disabled the systemd-networkd settings ManageForeignRoutes and ManageForeignRoutingPolicyRules by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events (Flatcar#620).
• AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
• Prevented hitting races when creating filesystems in Ignition, these races caused boot failures like fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)
• Reverted the Linux kernel change to forbid xfrm id 0 for IPSec state because it broke Cilium (Flatcar#626, coreos-overlay#1682)
• Reverted the Linux kernel commit which broke networking on AWS instances which use Intel 82559 NIC (c4/m4) (Flatcar#665, coreos-overlay#1720)
• Added pahole to developer container, without it kernel modules built against /usr/src/linux may fail to probe with an 'invalid relocation target' error (coreos-overlay#1839)
• vim with USE=minimal was fixed to run without warning in the beginning portage-stable#260
• dev container: Fix github URL for coreos-overlay and portage-stable to use repos from flatcar-linux org directly instead of relying on redirects from the kinvolk org. This fixes checkouts with emerge-gitclone inside dev-container. scripts#194
• Added missing SELinux rule as initial step to resolve Torcx unpacking issue (coreos-overlay#1426)
• Randomize OEM filesystem UUID if mounting fails (init#47)
• Run emergency.target on ignition/torcx service unit failure in dracut (bootengine#28)
• Re-enabled kernel config FS_ENCRYPTION (coreos-overlay#1212)
• Fixed Perl in dev-container (coreos-overlay#1238)
• Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
• Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
• flatcar-install: randomized OEM filesystem UUID if mounting fails (init#47)
• Fixed null-pointer deref crash in Ignition when specifying the OEM filesystem without a label (ignition#25)
• Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)
• Fixed pam.d sssd LDAP auth with sudo (coreos-overlay#1170)
• Let network-cleanup.service finish before entering rootfs (coreos-overlay#1182)
• Fixed SELinux policy for Flannel CNI (coreos-overlay#1181)
• Set the cilium_vxlan interface to be not managed by networkd’s default setup with DHCP as it’s managed by Cilium. (init#43)
• Disabled SELinux by default on dockerd wrapper script (coreos-overlay#1149)
• Fixed the network-cleanup service race in the initramfs which resulted in a failure being reported
• GCE: Granted CAP_NET_ADMIN to set routes for the TCP LB when starting oem-gce.service (coreos-overlay#1146)
• Add the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)
• Update-engine sent empty requests when restarted before a pending reboot (Flatcar#388)
• systemd-networkd: Do not manage loopback network interface (bootengine#24 init#40)
• flatcar-install: Detect device mapper (e.g., LVM/LUKS) usage when searching for free drives with the -s flag (Flatcar#332)
• GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
• Include firmware files for all modules shipped in our image (Issue #359, coreos-overlay#887)
• Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
• sys-apps/systemd: Fix unit installation (coreos-overlay#810)
• passwd: use correct GID for tss (baselayout#15)
• coreos-base/gmerge: Stop installing gmerge script (coreos-overlay#828)
• Update sys-apps/coreutils and make sure they have split-usr disabled for generic images (coreos-overlay#829)
• afterburn (coreos-metadata): Restart on failure and keep coreos-metadata unit active (coreos-overlay#768)
• network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (flatcar-linux/init#51, flatcar-linux/cloudinit#12, flatcar-linux/bootengine#30)
• Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (flatcar-linux/init#53)
• Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update
• Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
• Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
• Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
• Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update

Changes:

• Backported elf support for iproute2 (coreos-overlay#1256)
• Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)
• Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
• Added support for switching back to CGroupsV1 without requiring a reboot. Create /etc/flatcar-cgroupv1 through ignition. (coreos-overlay#1666)
• Enabled FIPS mode for cryptsetup (coreos-overlay#1747)
• GCE: Enabled GVE kernel driver, which adds support for Google Virtual NIC on GCP (coreos-overlay#1802)
• Enabled FIPS mode for cryptsetup (portage-stable#312)
• Added GPIO support (coreos-overlay#1236)
• Added Azure Generation 2 VM support (coreos-overlay#1198)
• Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
• Added lbzip2 binary to the image (coreos-overlay#1221)
• flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
• Added Intel E800 series network adapter driver (coreos-overlay#1237)
• Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
• Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)
• cgroups v2 by default for new nodes (coreos-overlay#931)
• Upgrade Docker to 20.10 (coreos-overlay#931)
• update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
• Switched to zstd compression for the initramfs (coreos-overlay#1136)
• Embedded new subkey in flatcar-install (coreos-overlay#1180)
• Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
• AWS: Added amazon-ssm-agent (coreos-overlay#1162)
• Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
• Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
• Enabled zstd compression for the initramfs and for amd64 also for the kernel because we hit the vmlinuz size limit on the /boot partition
• Deleted the unused kernel+initramfs vmlinuz file from the /usr partition
• devcontainer: added support to run on arm64 by switching to an architecture-agnostic partition UUID
• Enabled ARM64 SDK bootstrap (scripts#134)
• Enable telnet support for curl (coreos-overlay#1099)
• Enable MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)
• Disabled SELinux for Docker (coreos-overlay#1055)
• flatcar-install: Add -D flag to only download the image file (Flatcar#248)
• Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn’t start, disrupting the whole boot. (bootengine#23)
• Enable using iSCSI netroot devices on Flatcar (bootengine#22)
• The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
• The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
• The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
• sshd: use secure crypto algos only (coreos-overlay#852)
• samba: Update to EAPI=7, add new USE flags and remove deps on icu (coreos-overlay#864)
• kernel: enable kernel config CONFIG_BPF_LSM (coreos-overlay#846)
• bootengine: set hostname for EC2 and OpenStack from metadata (coreos-overlay#848)
• sys-block/open-iscsi: Command substitution in iscsi-init system service (coreos-overlay#801)
• scripts/motdgen: Add OEM information to motd output (init#34)
• torcx: delete Docker 1.12 (coreos-overlay#826)
• portage update: update portage and related packages to newer versions (coreos-overlay#840)
• bin/flatcar-install: add parameters to make wget more resilient (init#35)
• With the open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (coreos-overlay#682)
• Updated nsswitch.conf to use systemd-resolved (baselayout#10)
• Enabled systemd-resolved stub listeners (baselayout#11)
• systemd-resolved: Disabled DNSSEC for the mean time (baselayout#14)
• kernel: enabled CONFIG_DEBUG_INFO_BTF (coreos-overlay#753)
• containerd: Disabled shim debug logs (coreos-overlay#766)
• Enable BCMGENET as a module on arm64_defconfig-5.9 (coreos-overlay#717)
• Enable BCM7XXX_PHY as a module on arm64_defconfig-5.9 for Raspberry Pi 4 (coreos-overlay#716)
• flatcar_production_qemu.sh: Use more CPUs for ARM if available (scripts#91)
• Enabled the kernel config HOTPLUG_PCI_ACPI for arm64 to support attaching EC2 volumes (coreos-overlay#705)
• Support the lockdown kernel command line parameter (coreos-overlay#533)
• AWS arm64: Enable elastic network adapter module (coreos-overlay#631)
• rkt and kubelet-wrapper are deprecated and removed from Alpha, also from subsequent channels in the future. Please read the removal announcement to know more.

Updates:

• Linux (5.10.109) (from 5.4.188)
• Linux Firmware (20211216)
• systemd (249.10)
• glibc (2.33)
• Go (1.17.8)
• Docker (20.10.12)
• bash (5.1)
• c-ares (1.17.2)
• ca-certificates (3.73)
• containerd (1.5.11)
• coreutils (8.32)
• cryptsetup (2.3.6)
• curl (7.79.1)
• dbus (1.12.20)
• ebtables (2.0.11)
• etcd-wrapper (3.5.0)
• etcdctl (3.5.0)
• expat (2.4.6)
• flannel-wrapper (0.14)
• gawk (5.1.0)
• gettext (0.21)
• git (2.32.0)
• glib (2.66.8)
• gnupg (2.2.29)
• gnutls (3.7.1)
• gptfdisk (1.0.7)
• ignition (0.36.1)
• intel-microcode (20210608_p20210608)
• iptables (1.8.7)
• keyutils (1.6.1)
• ldb (2.3.0)
• libarchive (3.5.1)
• libev (4.33)
• libgcrypt (1.9.4)
• libmnl (1.0.4)
• libnftnl (1.2.0)
• libpcre (8.44)
• libselinux (3.1)
• libsemanage (3.1)
• libsepol (3.1)
• libtirpc (1.3.2)
• libuv (1.41.1)
• libverto (0.3.1)
• libxml2 (2.9.12)
• lvm2 (2.02.188)
• lz4 (1.9.3)
• mit-krb5 (1.19.2)
• multipath-tools (0.8.5)
• ncurses (6.2)
• net-tools (2.10)
• nettle (3.7.3)
• nftables (0.9.9)
• nvidia-drivers (510.47.03)
• openldap (2.4.58)
• openssh (8.7)
• openssl (1.1.1n)
• pam (1.5.1)
• pambase 20200817
• pax-utils (1.3.1)
• policycoreutils (3.1)
• polkit (0.119)
• readline (8.1)
• realmd (0.17.0)
• runc (1.0.3)
• samba (4.12.9)
• selinux-base (2.20200818)
• selinux-base-policy (2.20200818)
• selinux-unconfined (2.20200818)
• selinux-virt (2.20200818)
• sssd (2.3.1)
• strace (5.12)
• talloc (2.3.2)
• tar (1.34)
• util-linux (2.37.2)
• vim (8.2.3428)
• xenstore (4.14)
• xz-utils (5.2.5)
• zstd (1.4.9)
• Azure: WALinuxAgent (2.6.0.2)

Changes since Stable 3033.2.4

Security fixes:

• nvidia-drivers (CVE-2022-21814, CVE-2022-21813)
• containerd (CVE-2022-24769)

Bug fixes:

• AWS: specify correct console (ttyS0) on kernel command line for ARM64 instances (coreos-overlay#1628)
• Added pahole to developer container, without it kernel modules built against /usr/src/linux may fail to probe with an 'invalid relocation target' error (coreos-overlay#1839)
• network: Accept ICMPv6 Router Advertisements to fix IPv6 address assignment in the default DHCP setting (flatcar-linux/init#51, flatcar-linux/cloudinit#12, flatcar-linux/bootengine#30)

Changes:

• The systemd-networkd ManageForeignRoutes and ManageForeignRoutingPolicyRules settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under /etc/systemd/networkd.conf.d/ because drop-in files take precedence over /etc/systemd/networkd.conf (init#61)
• Excluded special network interface devices like bridge, tunnel, vxlan, and veth devices from the default DHCP configuration to prevent networkd interference (init#56)
• Added a new flatcar-update tool to the image to ease manual updates, rollbacks, channel/release jumping, and airgapped updates (flatcar-linux/init#53)
• Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
• Enabled the FIPS support for the Linux kernel, which users can now choose through a kernel parameter in grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)
• Merge the Flatcar Pro features into the regular Flatcar images (coreos-overlay#1679)
• Enabled FIPS mode for cryptsetup (flatcar-linux/coreos-overlay#1747, portage-stable#312)
• GCE: Enabled GVE kernel driver, which adds support for Google Virtual NIC on GCP (coreos-overlay#1802)
• SDK: Dropped the mantle binaries (kola, ore, etc.) from the SDK, they are now provided by the ghcr.io/flatcar-linux/mantle image (coreos-overlay#1827, scripts#275)

Updates:

• Linux (5.10.109 with 5.10.108)
• ca-certificates (3.77)
• containerd (1.5.11)
• nvidia-drivers (510.47.03)
• Azure: WALinuxAgent (2.6.0.2)

Best,
The Flatcar Container Linux Maintainers