Announcing Flatcar Container Linux Alpha release 3046.0.0, Beta release 3033.1.0, Stable release 2983.2.0, and LTS-2021 release 2605.23.1
Flatcar Container Linux User
Hello,
We are pleased to announce a Flatcar Container Linux maintenance release for our LTS-2021 channel, as well as new major releases for our Alpha, Beta and Stable channel.
All releases include an update which changes the URL of our binary package server to https://mirror.release.flatcar-linux.net/ . This change applies to the SDK and to the development container and is required to reflect changes in our build infrastructure. There’s a tracking issue for that change here.
Update to CGroupsV2
CGroups V2 is coming to Stable! Introduced in Alpha 2969.0.0, the feature has been stabilising for almost three months now and will be included in Stable 2983.2.0.
NOTE that only new nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2.
If you run into any issues please file an issue at https://github.com/flatcar-linux/Flatcar/issues .
To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/
New Alpha release 3046.0.0
Changes since Alpha 3033.0.0
Security fixes
Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
Go (CVE-2021-41771, CVE-2021-41772)
ncurses (CVE-2021-39537)
SDK: rust (CVE-2021-42574, CVE-2021-42694)
Bug fixes
Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Skip tcsd.service for TPM2 devices to fix failures on c3.small.x86 instances of Equinix Metal (Flatcar#208)
Changes
scripts: introduce `--setuponly` flag in update_chroot (flatcar-linux/scripts#178)
Updates
ca-certificates (3.70.0)
cryptsetup (2.4.1)
libidn2 (2.3.2)
mpc (1.2.1)
mpfr (4.1.0)
ncurses (6.2_p20210619)
nmap (7.92)
openssl (3.0.0)
procps (3.3.17)
wget (1.21.2)
SDK: rust (1.56.1)
SDK: yasm (1.3.0)
New Beta release 3033.1.0
Changes since Alpha 3033.0.0
Security fixes
Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
Docker (CVE-2021-41092, CVE-2021-41089, CVE-2021-41091)
Go (CVE-2021-41771, CVE-2021-41772)
Changes
Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Updates
Changes since Beta 2983.1.2
Security fixes
Linux (CVE-2021-3739, CVE-2021-3744, CVE-2021-3753, CVE-2021-3760, CVE-2021-3764, CVE-2021-3772, CVE-2021-20321, CVE-2021-38300, CVE-2021-40490, CVE-2021-41864, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
Go (CVE-2021-29923, CVE-2021-38297, CVE-2021-39293, CVE-2021-41771, CVE-2021-41772)
Docker (CVE-2021-41092, CVE-2021-41089, CVE-2021-41091)
bash (CVE-2019-9924, CVE-2019-18276)
binutils (CVE-2021-3530, CVE-2021-3549)
containerd (CVE-2021-41103)
curl (CVE-2021-22945, CVE-2021-22946, CVE-2021-22947)
git (CVE-2021-40330)
glibc (CVE-2021-38604)
gnuPG (CVE-2020-25125)
libgcrypt (CVE-2021-40528)
nettle (CVE-2021-20305, CVE-2021-3580)
polkit (CVE-2021-3560)
sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
util-linux (CVE-2021-37600)
vim (CVE-2021-3770, CVE-2021-3778, CVE-2021-3796)
SDK: bison (CVE-2020-14150, CVE-2020-24240)
SDK: perl (CVE-2020-10878)
Bug fixes
toolbox: fixed support for multi-layered docker images (flatcar-linux/toolbox#5)
arm64: the Polkit service does not crash anymore. (flatcar-linux/Flatcar#156)
The tcsd service for TPM 1 is not started on machines with TPM 2 anymore where it fails and isn’t necessary. (flatcar-linux/coreos-overlay#1365)
Skip tcsd.service for TPM2 devices to fix failures on c3.small.x86 instances of Equinix Metal (Flatcar#208)
Fixed locksmith adhering to reboot window when getting the etcd lock (flatcar-linux/locksmith#10)
Run emergency.target on `ignition/torcx` service unit failure in dracut (bootengine#28)
Changes
Added GPIO support (coreos-overlay#1236)
Enabled SELinux in permissive mode on ARM64 (coreos-overlay#1245)
Added support for some alias commands from `bcc` (flatcar-linux/coreos-overlay#1278)
Updates
Linux (5.10.77)
Linux firmware (20210919)
Go (1.17.3)
bash (5.1_p8)
binutils (2.37)
ca-certificates (3.69.1)
containerd (1.5.7)
curl (7.79.1)
duktape (2.6.0)
ebtables (2.0.11)
gawk (5.1.0)
git (2.32.0)
gnuPG (2.2.29)
iptables (1.8.7)
keyutils (1.6.1)
libdnet (1.14)
libgcrypt (1.9.4)
libmnl (1.0.4)
libnftnl (1.2.0)
libtirpc (1.3.2)
ldb (2.3.0)
lvm2 (2.02.188)
nettle (3.7.3)
net-tools (2.10)
nftables (0.9.9)
openssh (8.7_p1-r1)
polkit (0.119)
realmd (0.17.0)
sssd (2.3.1)
systemd (249.4)
talloc (2.3.2)
util-linux (2.37.2)
vim (8.2.3428)
xenstore (4.14.2)
SDK: bison (3.7.6)
SDK: perl (5.34.0)
SDK: rust (1.55)
VMWare: open-vm-tools (11.3.5)
New Stable release 2983.2.0
Update to CGroupsV2
CGroups V2 is coming to Stable! Introduced in Alpha 2969.0.0, the feature has been stabilising for almost three months now and will be included in Stable 2983.2.0.
NOTE that only new nodes will utilize CGroupsV2 by default. Existing nodes remain on CGroupsV1 and need to be manually migrated to CGroupsV2. To learn more about CGroupsV2 on Flatcar Container Linux and the migration guide, please refer to https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-to-unified-cgroups/
Changes since Beta 2983.1.2
Security fixes
Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
Go (CVE-2021-41771, CVE-2021-41772)
Bug fixes
Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Updates
Changes since Stable 2905.2.6
Security fixes
Linux (CVE-2021-3609, CVE-2021-3653, CVE-2021-3655, CVE-2021-3656, CVE-2021-3760, CVE-2021-3772, CVE-2020-26541, CVE-2021-35039, CVE-2021-37576, CVE-2021-22543, CVE-2021-33909, CVE-2021-34556, CVE-2021-35477, CVE-2021-38166, CVE-2021-38205, CVE-2021-42327, CVE-2021-43056, CVE-2021-43267, CVE-2021-43389)
c-ares (CVE-2021-3672)
containerd (CVE-2021-32760)
curl (CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22926)
dnsmasq (CVE-2021-3448)
expat (CVE-2013-0340)
glibc (CVE-2020-29562, CVE-2019-25013, CVE-2020-27618, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942)
libgcrypt (CVE-2021-33560)
libpcre (CVE-2019-20838, CVE-2020-14155)
libuv (CVE-2021-22918)
mit-krb5 (CVE-2021-36222)
NVIDIA Drivers (CVE-2021-1090, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095)
systemd (CVE-2020-13529, CVE-2021-33910)
tar (CVE-2021-20193)
Bug fixes
Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Skip tcsd.service for TPM2 devices to fix failures on c3.small.x86 instances of Equinix Metal (Flatcar#208)
Fixed containerd config after introduction of CGroupsV2 (coreos-overlay#1214)
Fixed path for amazon-ssm-agent in base-ec2.ign (coreos-overlay#1228)
Fixed locksmith adhering to reboot window when getting the etcd lock (locksmith#10)
Add the systemd tag in udev for Azure storage devices, to fix /boot automount (init#41)
Changes
Added Azure Generation 2 VM support (coreos-overlay#1198)
cgroups v2 by default for new nodes (coreos-overlay#931).
Upgrade Docker to 20.10 (coreos-overlay#931)
Switched Docker ecosystem packages to go1.16 (coreos-overlay#1217)
Added lbzip2 binary to the image (coreos-overlay#1221)
flatcar-install uses lbzip2 if present, falls back on bzip2 if not (init#46)
Added Intel E800 series network adapter driver (coreos-overlay#1237)
Enabled ‘audit’ use flag for sys-libs/pam (coreos-overlay#1233)
Bumped etcd and flannel to respectively 3.5.0, 0.14.0 to get multiarch images for arm64 support. Note for users of the old etcd v2 support: ETCDCTL_API=2 must be set to use v2 store as well as ETCD_ENABLE_V2=true in the etcd-member.service - this support will be removed in 3.6.0 (coreos-overlay#1179)
Support BTRFS in OEM and /usr partitions, but only used it for the OEM partition for now. Ignition configurations that refer to the OEM partition will work with any filesystem format specified, a mismatch is not resulting in a boot error. (coreos-overlay#1106)
Switched the arm64 kernel to use a 4k page size instead of 64k
Switched dm-verity corruption detection to issue a kernel panic (a panic results in a reboot after 1 minute, this was the case before already) instead of merely failing certain syscalls that try to use the corrupted data
Enabled ARM64 SDK bootstrap (flatcar-linux/scripts#134)
SDK: enabled experimental ARM64 SDK usage (flatcar-linux/scripts#134) (flatcar-linux/scripts#141)
AWS: Added amazon-ssm-agent (coreos-overlay#1162)
Azure: Compile OEM contents for all architectures (coreos-overlay#1196)
update_engine: add postinstall hook to stay on cgroupv1 (update_engine#13)
Enable telnet support for curl (coreos-overlay#1099)
Enable ssl USE flag for wget (coreos-overlay#932)
Enable MDIO_BCM_UNIMAC for arm64 (coreos-overlay#929)
Updates
Linux (5.10.77)
Linux firmware (20210818)
Go (1.16.10)
c-ares (1.17.2)
containerd (1.5.7)
cryptsetup (2.3.6)
curl (7.78)
dbus (1.12.20)
docker (20.10.10)
docker CLI (20.10.10)
docker proxy (0.8.0_p20210525)
dracut (053)
etcd (3.5.0)
expat (2.4.1)
gettext (0.21-r1)
glibc (2.33-r5)
gptfdisk (1.0.7)
flannel (0.14.0)
intel-microcode (20210608)
libarchive (3.5.1)
libev (4.33)
libpcre (8.44)
libuv (1.41.1)
libverto (0.3.1)
lz4 (1.9.3-r1)
mit-krb5 (1.19.2)
NVIDIA Drivers (470.57.02)
pax-utils (1.3.1)
portage-utils (0.90)
readline (8.1_p1)
runc (1.0.2)
selinux (3.1)
selinux-refpolicy (2.20200818)
strace (5.12)
systemd (247.9)
tar (1.34)
tini (0.19)
wa-linux-agent (2.3.1.1)
xz-utils (5.2.5)
SDK: dnsmasq (2.85)
SDK: rust (1.54)
VMWare: open-vm-tools (11.3.0)
New LTS release 2605.23.1
Changes since LTS 2605.22.1
Security fixes
Linux (CVE-2021-3760, CVE-2021-3772, CVE-2021-43056, CVE-2021-43389)
Bug fixes
Use https protocol instead of git for Github URLs (flatcar-linux/coreos-overlay#1394)
Updates
Linux (5.4.157)
Best,
The Flatcar Container Linux maintainers