Announcing new releases Alpha 4669.0.0, Beta 4628.1.0, Stable 4593.2.0, LTS 4081.3.7

3 views
Skip to first unread message

Flatcar Container Linux User

unread,
Apr 28, 2026, 7:55:00 AMApr 28
to Flatcar Container Linux User

Hello,

We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, and LTS channel.

Alpha 4669.0.0

Changes since Alpha 4628.0.0

Security fixes:

Bug fixes:

  • Fixed loading Ignition config from the initrd with ignition.config.url=oem:///myconf.ign. This was broken since moving to the minimal initrd. (scripts#3853)
  • Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. (Flatcar#2023)

Changes:

Updates:

Beta 4628.1.0

Changes since Beta 4593.1.0

Security fixes:

Bug fixes:

  • Added full terminfo database to support modern terminals like foot and Alacritty.
  • Fixed loading Ignition config from the initrd with ignition.config.url=oem:///myconf.ign. This was broken since moving to the minimal initrd. (scripts#3853)
  • Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. (Flatcar#2023)

Changes:

  • Dropped the “Oklo” release codename as it was never updated in a meaningful way.
  • Moved systemd-sysext image mounting into the initrd, so that system extensions can better define the behavior of the final system at boot without workarounds to apply settings late at boot. This means .wants symlinks for systemd units work as expected now and, therefore, we dropped the ensure-sysext.service workaround. We still recommend extensions to keep their workarounds, e.g., using .upholds instead of .wants, to better support live reloading. A skipping logic prevents an extension refresh late at boot but only if no changes were found. For extensions that are not stored on a custom filesystem, such as a separate /var partition, the new extension mounting from the initrd won’t be able to load them early but they will be picked up late at boot through the extension refresh. This is another case where it’s good if extensions keep workarounds for late loading.
  • OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar, podman, zfs, nvidia) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). OEM sysexts (e.g., oem-azure, oem-gce) are now also signed and built during the image phase to ensure consistent signing with the same ephemeral key. (scripts#3162)
  • Switched /etc/ from a custom overlayfs for A/B updates to using a systemd-confext extension providing the default contents by using systemd-confext in the mutable mode where /etc/ gets used as upperdir (scripts#3555)

Updates:

Changes since Alpha 4628.0.0

Security fixes:

Bug fixes:

  • Fixed loading Ignition config from the initrd with ignition.config.url=oem:///myconf.ign. This was broken since moving to the minimal initrd. (scripts#3853)
  • Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. (Flatcar#2023)

Updates:

Stable 4593.2.0

Changes since Stable 4459.2.4

Security fixes:

Bug fixes:

  • Alpha only: Added Fusion SCSI disk drivers back to the initrd after they got lost in the rework (Flatcar#1924)
  • Alpha only: Fixed systemd-sysext payload handling for air-gapped/self-hosted updates which was a known bug for 4487.0.0 (ue-rs#93)
  • Configured the services in the overlaybd sysext to start automatically like the other sysexts. Note that the sysext must be enabled at boot time for this to happen, otherwise you need to call systemd-tmpfiles --create and systemctl daemon-reload first.
  • Dropped debug symbols from containerd, incus, and overlaybd system extensions to reduce download size.
  • Enabled back PAM sssd support for LDAP authentication (scripts#3696)
  • Fixed SSSD startup failure by adding back LDB modules into the image, which got lost after a Samba update (Flatcar#1919)
  • Fixed a kernel boot warning when loading an explicit list of kernel modules in the minimal first-stage initrd (Flatcar#1934)
  • Fixed loading Ignition config from the initrd with ignition.config.url=oem:///myconf.ign. This was broken since moving to the minimal initrd. (scripts#3853)
  • Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. (Flatcar#2023)

Changes:

  • Added support for the kernel cmdline parameters flatcar.release_file_server_url and flatcar.dev_file_server_url to specify custom servers where Flatcar extensions should be downloaded on boot (bootengine#112)
  • Alpha only: Reduced Azure image size again to 30 GB as before by shrinking the root partition to compensate for the growth of the other partitions (scripts#3460)
  • Dropped Ciphers, MACs, and KexAlgorithms from the sshd configuration so that the OpenSSH upstream defaults are used. This introduces post-quantum key exchange algorithms for better security. (Flatcar#1921). Users requiring legacy Ciphers, MACs, and/or KexAlgos can override / re-enable this by deploying a custom drop-in config to /etc/ssh/sshd_config.d/.
  • Enabled netkit module (scripts#3524)
  • Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) (flatcar/scripts#3685)
  • Increased all partition sizes: /boot to 1 GB, the two /usr partitions to 2 GB, /oem to 1 GB so that we can use more space in a few years when we can assume that most nodes run the new partition layout - existing nodes can still update for the next years (scripts#3027)
  • Reduced the kernel+initrd size on /boot by half. Flatcar now uses a minimal first stage initrd just to access the /usr partition and then switches to the full initrd that does the full system preparation as before. Since this means that the set of kernel modules available in the first initrd is reduced, please report any impact.
  • The way that files for building custom kernel modules are installed has changed from a Ubuntu-inspired method to the standard upstream kernel method. In the unlikely event that this breaks your module builds, please let the Flatcar team know immediately.

Updates:

Changes since Beta 4593.1.0

Security fixes:

Bug fixes:

  • Fixed loading Ignition config from the initrd with ignition.config.url=oem:///myconf.ign. This was broken since moving to the minimal initrd. (scripts#3853)
  • Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. (Flatcar#2023)

Updates:

LTS 4081.3.7

Changes since LTS 4081.3.6

Security fixes:

Bug fixes:

  • Fixed the QEMU launcher script to include HVF acceleration on arm64-based Macs for faster performance (Flatcar#1901)
  • /etc/shadow, /etc/gshadow are now owned by the shadow group, /usr/bin/unix_chkpwd, /usr/bin/chage and /usr/bin/expiry are now also owned by the shadow group with a sticky bit enabled.

Updates:

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages