Announcing Flatcar Container Linux Stable release 2905.2.0, Beta release 2920.1.0, Alpha release 2942.0.0 and LTS-2021 release 2605.18.1
Flatcar Container Linux User
We are pleased to announce a Flatcar Container Linux maintenance release for our LTS-2021 channel, as well as new major releases for our Stable, Beta and Alpha channel.
New Alpha release 2942.0.0
Security Fixes
containerd (CVE-2021-32760)
curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
glibc (CVE-2020-29562, CVE-2019-25013, CVE-2020-27618, CVE-2021-27645, CVE-2021-33574)
Go (CVE-2021-34558)
libgcrypt (CVE-2021-33560)
libpcre (CVE-2019-20838, CVE-2020-14155)
Linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)
Bug Fixes
Add the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)
Changes
Enable telnet support for curl (coreos-overlay#1099)
Enable ssl USE flag for wget (coreos-overlay#932)
Enable MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)
Updates
Linux (5.10.52)
containerd (1.5.4)
curl (7.78)
dbus (1.12.20)
dracut (053)
glibc (2.33)
go (1.16.6)
libev (4.33)
libgcrypt (1.9.3)
libpcre (8.44)
libverto (0.3.1)
pax-utils (1.3.1)
readline (8.1_p1)
rust (1.53.0)
selinux (3.1)
selinux-refpolicy (2.20200818)
systemd (247.7)
VMWare: open-vm-tools (11.3.0)
Note: Please note that ARM images remain experimental for now.
New Beta release 2920.1.0
Changes since Alpha 2920.0.0
Security Fixes
containerd (CVE-2021-32760)
curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)
Updates
Changes since Beta 2905.1.0
Updates
Linux (5.10.52)
lz4 (1.9.3-r1)
curl (7.78)
gptfdisk (1.0.7)
gettext (0.21-r1)
intel-microcode (20210608_p20210608)
runc (1.0.0)
New Stable release 2905.2.0
Changes since Beta 2905.1.0
Security Fixes
containerd (CVE-2021-32760)
curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)
Updates
Changes since Stable 2765.2.6
Security Fixes:
Linux (CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909, CVE-2021-34693, CVE-2021-33624)
containerd (CVE-2021-32760)
curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
boost (CVE-2012-2677)
Docker (CVE-2021-21285, CVE-2021-21284)
c-ares (CVE-2020-8277)
coreutils (CVE-2017-7476)
dbus (CVE-2020-35512)
dnsmasq (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)
git (CVE-2021-21300)
glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
gnutls (CVE-2021-20231, CVE-2021-20232)
intel-microcode (CVE-2020-8696, CVE-2020-8698)
libxml2 (CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3541)
ncurses (CVE-2019-17594, CVE-2019-17595)
openldap (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230)
samba (CVE-2020-14318, CVE-2020-14323, CVE-2020-14383)
sqlite (CVE-2021-20227)
binutils (CVE-2021-20197,CVE-2021-3487)
Bug Fixes:
passwd: use correct GID for tss (baselayout#15)
flatcar-eks: add missing mkdir and update to latest versions (coreos-overlay#817)
gmerge: Stop installing gmerge script (coreos-overlay#828)
Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
Fix the patch to update DefaultTasksMax in systemd (coreos-overlay#971)
Changes
Docker: disabled SELinux support in the Docker daemon
The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
toolbox: replace rkt with docker (coreos-overlay#881)
flatcar-install: add parameters to make wget more resilient (init#35)
flatcar-install: Add -D flag to only download the image file (Flatcar#248)
flatcar-install: Detect device mapper (e.g., LVM/LUKS) usage when searching for free drives with the -s flag (Flatcar#332)
motd: Add OEM information to motd output (init#34)
open-iscsi: Command substitution in iscsi-init system service (coreos-overlay#801)
sshd: use secure crypto algos only (kinvolk/coreos-overlay#852)
kernel: enable kernel config CONFIG_BPF_LSM (kinvolk/coreos-overlay#846)
bootengine: set hostname for EC2 and OpenStack from metadata (kinvolk/coreos-overlay#848)
Make the hostname setting units optional. Having the hostname units as required by the initrd.target meant that if the unit failed the machine wouldn’t start, disrupting the whole boot. (bootengine#23)
Enable using iSCSI netroot devices on Flatcar (bootengine#22)
systemd-networkd: Do not manage loopback network interface (bootengine#24 init#40)
containerd: Removed the containerd-stress binary (coreos-overlay#858)
dhcpcd: Removed the dhcpcd binary from the image, systemd-networkd is the only DHCP client (coreos-overlay#858)
samba: Update to EAPI=7, add new USE flags and remove deps on icu (kinvolk/coreos-overlay#864)
GCE: The oem-gce.service was ported to use systemd-nspawn instead of rkt. A one-time action is required to fetch the new service file because the OEM partition is not updated: sudo curl -s -S -f -L -o /etc/systemd/system/oem-gce.service https://raw.githubusercontent.com/kinvolk/coreos-overlay/fe7b0047ef5b634ebe04c9627bbf1ce3008ee5fa/coreos-base/oem-gce/files/units/oem-gce.service && sudo systemctl daemon-reload && sudo systemctl restart oem-gce.service
SDK: update portage and related packages to newer versions (coreos-overlay#840)
SDK: Drop jobs parameter in flatcar-scripts (flatcar-scripts#121)
SDK: delete Go 1.6 (coreos-overlay#827)
Update coreutils and make sure they have split-usr disabled for generic images (coreos-overlay#829)
systemd: Fix unit installation (coreos-overlay#810)
Updates
Linux (5.10.52)
Linux firmware (20210511)
boost (1.75.0)
docker (19.03.15)
c-ares (1.17.1)
curl (7.78)
containerd (1.5.4)
coreutils (8.32)
cri-tools (1.19.0)
dbus (1.10.32)
dnsmasq (2.83)
Go (1.16.5)
git (2.26.3)
glib (2.66.8)
gnutls (3.7.1)
intel-microcode (20210216)
libxml2 (2.9.12)
multipath-tools (0.8.5)
ncurses (6.2)
open-iscsi (2.1.4)
openldap (2.4.58)
openssh (8.6_p1)
runc (1.0.0_rc95)
samba (4.12.9)
sqlite (3.34.1)
systemd (247.6)
zstd (1.4.9)
SDK: Rust (1.52.1)
SDK: QEMU (5.2.0)
SDK: cmake (3.18.5)
SDK: binutils (2.36.1)
Deprecation
docker-1.12, rkt and kubelet-wrapper are deprecated and removed from Stable, also from subsequent channels in the future. Please read the removal announcement to know more
New LTS release 2605.18.1
Security Fixes
Linux (CVE-2021-34693, CVE-2020-26541, CVE-2021-35039, CVE-2021-22543, CVE-2020-36311, CVE-2021-3609, CVE-2021-3655, CVE-2021-33909)
Updates
Linux (5.4.134)
Best,
The Flatcar Container Linux team at Kinvolk