Release Channels
The Stable channel is intended for use in production clusters. Versions of Flatcar Container Linux have been tested as they move through Alpha and Beta channels before being promoted to stable.
The Beta channel is where Flatcar Container Linux stability is solidified. We encourage including some beta machines in production clusters in order to catch any issues that may arise with your setup.
The Alpha channel follows a more frequent release cadence and is where new updates are introduced. Users can try the new versions of the Linux kernel, systemd and other core packages.
LTS releases will be maintained for an extended lifetime of 18 months. The LTS channel is available to support subscription customers.
Release Notes
Release Date: Mar 25, 2021 amd64
ignition - 0.34.0
kernel - 5.10.25
systemd - 247
Security fixes
- Linux (CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038,CVE-2021-28039, CVE-2021-28375, CVE-2021-28660, CVE-2021-27218, CVE-2021-27219)
- openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3450)
Bug Fixes
- GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
Changes
- The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
Updates
Release Date: Mar 11, 2021 amd64
ignition - 0.34.0
kernel - 5.10.21
systemd - 247
Security fixes
- Linux - (CVE-2020-25639, CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039)
- containerd (GHSA-6g2q-w5j3-fwh4)
Bug fixes
- Include firmware files for all modules shipped in our image (Issue #359, PR #887)
- Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
Updates
Release Date: Mar 3, 2021 amd64
ignition - 0.34.0
kernel - 5.10.19
systemd - 247
Release Date: Jan 28, 2021 amd64
ignition - 0.34.0
kernel - 5.4.92
systemd - 246
Security fixes
- linux - CVE-2020-28374, CVE-2020-36158
- go - CVE-2021-3114
- sudo - CVE-2021-3156, CVE-2021-23239
Bug fixes
/etc/iscsi/initiatorname.iscsi
is generated by the iscsi-init service (#321)- Prevent iscsiadm buffer overflow (#318)
Changes
- Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
- The containerd socket is now available in the default location (
/run/containerd/containerd.sock
) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock
) (#771) - With the iscsi update, the service unit has changed from iscsid to iscsi (#791)
- AWS Pro: include scripts to facilitate setup of EKS workers (#794).
- Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)
Updates
Release Date: Jan 12, 2021 amd64
ignition - 0.34.0
kernel - 5.4.87
systemd - 246
Security fixes
Bug fixes
- networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)
Updates
- Linux (5.4.87)
Release Date: Dec 16, 2020 amd64
ignition - 0.34.0
kernel - 5.4.83
systemd - 246
Security fixes:
Bug fixes:
- The sysctl
net.ipv4.conf.*.rp_filter
is set to0
for the Cilium CNI plugin to work (Flatcar#181) - Package downloads in the developer container now use the correct URL again (Flatcar#298)
Changes:
- The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (baselayout#13)
- Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
- For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (update-engine#8)
Updates:
- Linux (5.4.83)
Release Date: Dec 7, 2020 amd64
ignition - 0.34.0
kernel - 5.4.81
systemd - 246
Security fixes:
- containerd (CVE-2020-15257)
- glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)
- Linux (CVE-2020-28941, CVE-2020-4788, CVE-2020-25669, CVE-2020-14351)
- glib (CVE-2019-12450)
- open-iscsi (CVE-2017-17840)
- samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
- shadow (CVE-2019-19882)
- sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
- trousers (CVE-2020-24330, CVE-2020-24331)
- cifs-utils (CVE-2020-14342)
- ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
- bzip2 (CVE-2019-12900)
- c-ares (CVE-2017-1000381)
- file (CVE-2019-18218)
- json-c (CVE-2020-12762)
- jq (CVE-2015-8863, CVE-2016-4074)
- libuv (CVE-2020-8252)
- libxml2 (CVE-2019-20388, CVE-2020-7595)
- re2c (CVE-2020-11958)
- tar (CVE-2019-9923)
- sqlite (CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358)
- tcpdump and pcap (CVE-2018-10103, CVE-2018-10105, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220)
- libbsd (CVE-2019-20367)
- rsync and zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
Bug fixes
- Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)
- Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
- Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
- Do not configure ccache in Jenkins (scripts PR #100)
- Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)
Changes:
- Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
- The zstd tools were added (version 1.4.4)
- The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
- The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
- The kernel config CONFIG_POWER_SUPPLY was set
- The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting “redirect_dir=on” in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
- Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)
- Compress kernel modules with xz (overlay PR#628)
- Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
- Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the network-online.target and only require the bond interface itself to have at least one active link instead of routable which requires both links to be active (afterburn PR#10)
- QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)
Updates:
- Linux (5.4.81)
- Linux firmware (20200918)
- systemd (246.6)
- glibc (2.32)
- Docker (19.03.14)
- containerd (1.4.3)
- tini (0.18)
- libseccomp (2.5.0)
- audit (2.8.5)
- bzip2 (1.0.8)
- c-ares (1.61.1)
- cryptsetup (2.3.2)
- cifs-utils (6.11)
- dbus-glib (0.110)
- dracut (050)
- elfutils (0.178)
- glib (2.64.5)
- json-c (0.15)
- jq (1.6)
- libuv (1.39.0)
- libxml2 (2.9.10)
- ntp (4.2.8_p15)
- open-iscsi (2.1.2)
- samba (4.11.13)
- shadow (4.8)
- sssd (2.3.1)
- strace (5.9)
- talloc (2.3.1)
- tar (1.32)
- tdb (1.4.3)
- tevent (0.10.2)
- SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
- Go (1.15.5, 1.12.17) (only in SDK)
- Rust (1.46.0) (only in SDK)
- file (5.39) (only in SDK)
- gdbus-codegen (2.64.5) (only in SDK)
- meson (0.55.3) (only in SDK)
- re2c (2.0.3) (only in SDK)
- VMware: open-vm-tools (11.2.0)
Release Date: Nov 19, 2020 amd64
ignition - 0.34.0
kernel - 5.4.77
systemd - 245
Security fixes:
- Linux - CVE-2020-27673, CVE-2020-27675
Bug fixes:
- network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
- systemd-stable-245.8: ingest latest fixes on top of upstream release (#1, #2, #3)
Updates:
Release Date: Oct 28, 2020 amd64
ignition - 0.34.0
kernel - 5.4.72
systemd - 245
Security fixes:
- Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211
Bug fixes:
- Ensured that the
/etc/coreos
to/etc/flatcar
symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives forupdate:
orlocksmith:
while also reformatting the rootfs (baselayout PR#7)
Updates:
- Linux 5.4.72
Release Date: Sep 30, 2020 amd64
ignition - 0.34.0
kernel - 5.4.67
systemd - 245
Bug fixes:
- Enabled missing systemd services (#191, PR #612)
- Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
- Solved adcli Kerberos Active Directory incompatibility (#194)
- Fixed the makefile path when building kernel modules with the developer container (#195)
- Removed the
/etc/portage/savedconfig/
folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613
Changes:
- GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)
Updates:
- Linux 5.4.67
- adcli 0.9.0
- GCE: oslogin 20200910.00
Release Date: Sep 22, 2020 amd64
ignition - 0.34.0
kernel - 5.4.66
systemd - 1.30.0
- 245
Security fixes:
- Linux kernel CVE-2020-14390 and the unassigned similar bug
- Linux kernel CVE-2020-25284
Updates:
- Linux 5.4.66
Release Date: Sep 16, 2020 amd64
ignition - 0.34.0
kernel - 4.19.145
systemd - 1.30.0
- 241
Release Date: Sep 7, 2020 amd64
ignition - 0.34.0
kernel - 4.19.143
systemd - 1.30.0
- 241
Security fixes:
- Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386
Updates:
- Linux 4.19.143
Release Date: Aug 20, 2020 amd64
ignition - 0.34.0
kernel - 4.19.140
systemd - 1.30.0
- 241
Security fixes:
- Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Bug fixes:
- The static IP address configuration in the initramfs works again in the format
ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]]
(flatcar-linux/bootengine#15) - app-admin/{kubelet, etcd, flannel}-wrapper: don’t overwrite the user supplied –insecure-options argument (flatcar-linux/coreos-overlay#426)
- etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)
Changes:
- Vultr support in Ignition (flatcar-linux/ignition#13)
- VMware OVF settings default to ESXi 6.5 and Linux 3.x
Updates:
Release Date: Jun 17, 2020 amd64
ignition - 0.34.0
kernel - 4.19.128
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix the Intel Microcode vulnerabilities (CVE-2020-0543)
Changes:
- A source code and licensing overview is available under
/usr/share/licenses/INFO
Updates:
Release Date: May 26, 2020 amd64
ignition - 0.34.0
kernel - 4.19.124
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- When writing the update kernel, prefer
/boot/coreos
only if/boot/coreos/vmlinux-*
exists (https://github.com/flatcar-linux/update_engine/pull/5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
- Use the correct
BINHOST
URLs in the development container to download binary packages
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_boot
flag file (https://github.com/flatcar-linux/bootengine/pull/13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service
,flanneld.service
, andkubelet-wrapper
- Use
flatcar.autologin
kernel command line parameter on Azure and VMware for auto login on the serial console - Include
conntrack
(conntrack-tools) - Include
journalctl
output,pstore
kernel crash logs, andcoredumpctl list
output in themayday
report - Update wa-linux-agent to 2.2.46 on Azure
- Support both
coreos.config.*
andflatcar.config.*
guestinfo variables on VMware OEM
Updates:
Release Date: Mar 31, 2020 amd64
ignition - 0.34.0
kernel - 4.19.107
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
- It is a possible breaking change for some persistent network interface names
- Fix URL scheme in emerge-gitclone (https://github.com/flatcar-linux/coreos-overlay/issues/223)
- Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
- Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
- Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
- Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
Changes:
- Add kernel config for QEDE driver (https://github.com/flatcar-linux/coreos-overlay/pull/198)
- Add
tracepath
alongsidetraceroute6
(https://github.com/flatcar-linux/Flatcar/issues/50)
Updates:
- Linux 4.19.107
Release Date: Mar 2, 2020 amd64
ignition - 0.33.0
kernel - 4.19.106
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
- Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters
coreos.oem.*
,coreos.autologin
,coreos.first_boot
, and the QEMU firmware config pathopt/com.coreos/config
(https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)
Upstream Container Linux updates
Security fixes:
- Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker CVE-2020-1712
- Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
- Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)
- Fix curl Kerberos FTP double free (CVE-2019-5481)
- Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
- Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
Updates:
Release Date: Feb 10, 2020 amd64
ignition - 0.33.0
kernel - 4.19.95
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
- Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
- Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
Upstream Container Linux updates:
Updates:
- Linux 4.19.95
Release Date: Dec 18, 2019 amd64
ignition - 0.33.0
kernel - 4.19.86
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
- Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/2)
Updates:
Release Date: Dec 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.86
systemd - 1.30.0
- 241
Release Date: Nov 21, 2019 amd64
ignition - 0.33.0
kernel - 4.19.84
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
- Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
Updates:
Release Date: Nov 11, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix time zone for Brazil (#2627)
Updates:
- timezone-data 2019c
Release Date: Oct 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
systemd - 1.30.0
- 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Sep 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.68
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
Updates:
- Linux 4.19.68
Release Date: Aug 30, 2019 amd64
ignition - 0.33.0
kernel - 4.19.66
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)
Updates:
Release Date: Aug 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)
Updates:
- Linux 4.19.65
Flatcar updates
Bug fixes:
- Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
- Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
- Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)
Changes:
- Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)
Release Date: Aug 1, 2019 amd64
ignition - 0.33.0
kernel - 4.19.56
systemd - 1.30.0
- 241
Release Date: Jul 3, 2019 amd64
ignition - 0.33.0
kernel - 4.19.50
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix Ignition panic when no
guestinfo.(coreos|ignition).config
parameters are specified on VMware (coreos/ignition#821)
Updates:
- Ignition 0.33.0
Release Date: Jul 1, 2019 amd64
ignition - 0.32.0
kernel - 4.19.50
systemd - 1.30.0
- 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Jun 19, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
Bug fixes:
- Fix invalid bzip2 compression of Container Linux release images (#2589)
Release Date: Jun 6, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix systemd
MountFlags=shared
option (#2579)
Changes:
- Pin network interface naming to systemd v238 scheme (#2578)
Release Date: May 16, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)
Updates:
Release Date: Apr 26, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Fix a regression from the latest hotfix builds, about CROS_WORKON_COMMIT in coreos-overlay
Release Date: Apr 25, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
systemd - 1.30.0
- 241
Release Date: Apr 24, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
systemd - 1.30.0
- 241
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Mar 12, 2019 amd64
ignition - 0.30.0
kernel - 4.19.25
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)
Bug fixes:
- Fix systemd-journald memory leak (#2564)
Updates:
- Linux 4.19.25
Release Date: Feb 27, 2019 amd64
ignition - 0.30.0
kernel - 4.19.23
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux use-after-free in
sockfs_setattr
(CVE-2019-8912)
Release Date: Feb 21, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
systemd - 1.30.0
- 238
Release Date: Feb 14, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
systemd - 1.30.0
- 238
Release Date: Jan 30, 2019 amd64
ignition - 0.28.0
kernel - 4.14.96
systemd - 1.30.0
- 238
Release Date: Jan 28, 2019 amd64
ignition - 0.28.0
kernel - 4.14.88
systemd - 1.30.0
- 238
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Jan 28, 2019 amd64
ignition - 0.28.0
kernel - 4.14.88
systemd - 1.30.0
- 238
Upstream Container Linux updates:
No changes for stable promotion
Flatcar updates
Changes:
- Fix the previous update of Flatcar where instead of https://github.com/flatcar-linux/init the upstream coreos-init package was referenced and used accidentally.
Release Date: Dec 21, 2018 amd64
ignition - 0.28.0
kernel - 4.14.84
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
- Fix PolicyKit always authorizing UIDs greater than
INT_MAX
(CVE-2018-19788)
Updates:
Release Date: Nov 27, 2018 amd64
ignition - 0.28.0
kernel - 4.14.81
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
Updates:
- Linux 4.14.81
Release Date: Nov 8, 2018 amd64
ignition - 0.28.0
kernel - 4.14.78
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
- Fix systemd race allowing changing file permissions (CVE-2018-15687)
- Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)
Release Date: Oct 26, 2018 amd64
ignition - 0.26.0
kernel - 4.14.74
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git remote code execution during recursive clone (CVE-2018-17456)
Updates:
Release Date: Oct 11, 2018 amd64
ignition - 0.26.0
kernel - 4.14.67
systemd - 1.30.0
- 238
Release Date: Sep 14, 2018 amd64
ignition - 0.26.0
kernel - 4.14.67
systemd - 1.30.0
- 238
Release Date: Aug 17, 2018 amd64
ignition - 0.25.1
kernel - 4.14.63
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
- Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
Updates:
Release Date: Aug 8, 2018 amd64
ignition - 0.25.1
kernel - 4.14.59
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)
Bug fixes:
- Fix failure to mount large ext4 filesystems (#2485)
Release Date: Jul 31, 2018 amd64
ignition - 0.25.1
kernel - 4.14.59
systemd - 1.30.0
- 238
Release Date: Jul 26, 2018 amd64
ignition - 0.25.1
kernel - 4.14.55
systemd - 1.30.0
- 238
Upstream Container Linux updates:
No changes for stable promotion
Release Date: Jun 15, 2018 amd64
ignition - 0.24.1
kernel - 4.14.48
systemd - 1.29.0
- 238
Release Date: Jun 13, 2018 amd64
ignition - 0.24.1
kernel - 4.14.48
systemd - 1.29.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix Hyper-V network driver regression (#2454)
Updates:
- Linux 4.14.48
Release Date: Jun 1, 2018 amd64
ignition - 0.24.1
kernel - 4.14.44
systemd - 1.29.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
Bug fixes:
- Fix failure to set network interface MTU (#2443)
Updates:
Release Date: May 27, 2018 amd64
ignition - 0.24.1
kernel - 4.14.42
systemd - 1.29.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix inadvertent change of network interface names (#2437)
Release Date: May 26, 2018 amd64
ignition - 0.24.1
kernel - 4.14.42
systemd - 1.29.0
- 238
Release Date: Apr 25, 2018 amd64
ignition - 0.22.0
kernel - 4.14.32
systemd - 1.29.0
- 237
Flatcar updates
Initial Flatcar release.
Bug fixes:
- Fix GRUB crash at boot (#2284)
- Fix poweroff problems (#8080)
Notes:
- Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.
Upstream Container Linux updates:
Bug fixes:
Avoid GRUB crash at boot (#2284)We’ve included the real fix for this.- Fix kernel panic with vxlan (#2382)
Release Date: Mar 25, 2021 amd64
ignition - 0.34.0
kernel - 5.10.25
systemd - 247
Security fixes
- Linux (CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039, CVE-2021-28375, CVE-2021-28660, CVE-2021-27218, CVE-2021-27219, CVE-2021-3444)
- openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3450)
Bug Fixes
- GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
Changes
- The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
Updates
Deprecation
- dhcpcd and containerd-stress are deprecated and removed from Beta, also from subsequent channels in the future. Users that relied on dhcpd should either migrate to systemd-networkd as a DHCP server or run dhcpd from a container.
- Docker 1.12 is deprecated and removed from Beta, also from subsequent channels in the future.
Release Date: Feb 18, 2021 amd64
ignition - 0.34.0
kernel - 5.10.16
systemd - 247
Security fixes
- Linux (CVE-2021-3347, CVE-2021-3348, CVE-2021-26708, CVE-2021-20194)
- Docker (CVE-2021-21285, CVE-2021-21284)
- NVIDIA (CVE-2021-1052, CVE-2021-1053, CVE-2021-1056)
Bug Fixes
- app-crypt/trousers: use correct file permissions (coreos-overlay#809)
- x11-drivers/nvidia-drivers: Handle NVIDIA Version upgrades (https://github.com/kinvolk/coreos-overlay/pull/762)
- flatcar-eks: add missing mkdir and update to latest versions (https://github.com/kinvolk/coreos-overlay/pull/817)
Updates
Release Date: Jan 28, 2021 amd64
ignition - 0.34.0
kernel - 5.9.16
systemd - 246
Security fixes
- go - CVE-2021-3114
- sudo - CVE-2021-3156, CVE-2021-23239
Bug fixes
/etc/iscsi/initiatorname.iscsi
is generated by the iscsi-init service (#321)- Prevent iscsiadm buffer overflow (#318)
Changes
- Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
- The containerd socket is now available in the default location (
/run/containerd/containerd.sock
) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock
) (#771) - With the iscsi update, the service unit has changed from iscsid to iscsi (#791)
- AWS Pro: include scripts to facilitate setup of EKS workers (#794).
- Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)
Updates
Release Date: Jan 12, 2021 amd64
ignition - 0.34.0
kernel - 5.9.16
systemd - 246
Security fixes
Bug fixes
- The sysctl
net.ipv4.conf.*.rp_filter
is set to0
for the Cilium CNI plugin to work (kinvolk/Flatcar#181) - Package downloads in the developer container now use the correct URL again (kinvolk/Flatcar#298)
- networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)
Changes
- The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (kinvolk/baselayout#13)
- Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (kinvolk/Flatcar#283)
- For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (kinvolk/update-engine#8)
Updates
Release Date: Dec 1, 2020 amd64
ignition - 0.34.0
kernel - 5.9.11
systemd - 246
Security fixes:
- No changes since Alpha 2705.0.0
Bug fixes:
- No changes since Alpha 2705.0.0
Changes:
- No changes since Alpha 2705.0.0
Updates:
- No changes since Alpha 2705.0.0
Release Date: Nov 19, 2020 amd64
ignition - 0.34.0
kernel - 5.8.18
systemd - 245
Security fixes:
- Linux - CVE-2020-27194, CVE-2020-27152
- Go - CVE-2020-28362, CVE-2020-28367, CVE-2020-28366
Bug fixes:
- network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
Updates:
Release Date: Oct 16, 2020 amd64
ignition - 0.34.0
kernel - 5.8.14
systemd - 245
Security fixes:
- Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211
Bug fixes:
- Ensured that the
/etc/coreos
to/etc/flatcar
symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives forupdate:
orlocksmith:
while also reformatting the rootfs (baselayout PR#7)
Updates:
- Linux 5.8.14
Release Date: Sep 30, 2020 amd64
ignition - 0.34.0
kernel - 5.8.11
systemd - 1.30.0
- 245
Security fixes:
- Linux: CVE-2020-25284, CVE-2020-14390
Bug fixes:
- Enabled missing systemd services (#191, PR #612)
- Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
- Solved adcli Kerberos Active Directory incompatibility (#194)
- Fixed the makefile path when building kernel modules with the developer container (#195)
- Removed the
/etc/portage/savedconfig/
folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613
Changes:
- GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)
Updates:
- Linux 5.8.11
- adcli 0.9.0
- GCE: oslogin 20200910.00
Release Date: Sep 16, 2020 amd64
ignition - 0.34.0
kernel - 5.4.65
systemd - 1.30.0
- 245
Bug fixes:
- Fix resetting of DNS nameservers in systemd-networkd units (PR#12)
Changes:
- Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
- Set
sysctl net.ipv4.conf.(all|*).rp_filter
to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11) flatcar-install
allows installation to a multipath drive (PR#24)
Updates:
- Linux 5.4.65
Release Date: Sep 7, 2020 amd64
ignition - 0.34.0
kernel - 5.4.62
systemd - 1.30.0
- 245
Security fixes:
- Linux kernel: Fix AF_PACKET overflow in tpacket_rcv CVE-2020-14386
Updates:
- Linux 5.4.62
Release Date: Sep 3, 2020 amd64
ignition - 0.34.0
kernel - 5.4.61
systemd - 1.30.0
- 245
Release Date: Aug 20, 2020 amd64
ignition - 0.34.0
kernel - 5.4.59
systemd - 1.30.0
- 243
Security fixes:
- Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Bug fixes:
- etcd-wrapper: Adjust data dir permissions (flatcar-linux/coreos-overlay#536)
Updates:
Release Date: Jul 23, 2020 amd64
ignition - 0.34.0
kernel - 5.4.52
systemd - 1.30.0
- 243
Changes since the Alpha release 2513.1.0
Bug Fixes:
- The static IP address configuration in the initramfs works again in the format
ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]]
https://github.com/flatcar-linux/bootengine/pull/15
Updates:
- Linux 5.4.52
Release Date: Jun 17, 2020 amd64
ignition - 0.34.0
kernel - 4.19.128
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix the Intel Microcode vulnerabilities (CVE-2020-0543)
Changes:
- A source code and licensing overview is available under
/usr/share/licenses/INFO
Updates:
Release Date: May 26, 2020 amd64
ignition - 0.34.0
kernel - 4.19.124
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix Git arbitrary path overwrite, credential leak from credential helpers, remote code execution in recursive clones, and arbitrary command execution via submodules (CVE-2019-1348, CVE-2019-1387, CVE-2019-19604, CVE-2020-11008, CVE-2020-5260)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- When writing the update kernel, prefer
/boot/coreos
only if/boot/coreos/vmlinux-*
exists (https://github.com/flatcar-linux/update_engine/pull/5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
- Use the correct
BINHOST
URLs in the development container to download binary packages
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_boot
flag file (https://github.com/flatcar-linux/bootengine/pull/13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service
,flanneld.service
, andkubelet-wrapper
- Use
flatcar.autologin
kernel command line parameter on Azure and VMware for auto login on the serial console - Include
conntrack
(conntrack-tools) - Include
journalctl
output,pstore
kernel crash logs, andcoredumpctl list
output in themayday
report - Update wa-linux-agent to 2.2.46 on Azure
- Support both
coreos.config.*
andflatcar.config.*
guestinfo variables on VMware OEM
Updates:
Release Date: Mar 31, 2020 amd64
ignition - 0.34.0
kernel - 4.19.112
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
- It is a possible breaking change for some persistent network interface names
- Fix URL scheme in emerge-gitclone (https://github.com/flatcar-linux/coreos-overlay/issues/223)
- Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
- Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
- Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
- Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
Changes:
- Add kernel config for QEDE driver (https://github.com/flatcar-linux/coreos-overlay/pull/198)
- Add
tracepath
alongsidetraceroute6
(https://github.com/flatcar-linux/Flatcar/issues/50)
Updates:
- Linux 4.19.112
Release Date: Mar 2, 2020 amd64
ignition - 0.34.0
kernel - 4.19.106
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
- Fix backwards compatibility issues for users to migrate from CoreOS Container Linux. Support the kernel command line parameters
coreos.oem.*
,coreos.autologin
,coreos.first_boot
, and the QEMU firmware config pathopt/com.coreos/config
(https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)
Upstream Container Linux updates
Updates:
- Linux 4.19.106
Release Date: Feb 10, 2020 amd64
ignition - 0.33.0
kernel - 4.19.102
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
- Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
- Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
Upstream Container Linux updates:
Security fixes:
- Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)
Changes:
- Enable
qede
kernel module
Updates:
- Linux 4.19.102
Release Date: Jan 17, 2020 amd64
ignition - 0.33.0
kernel - 4.19.95
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)
Updates:
Release Date: Dec 18, 2019 amd64
ignition - 0.33.0
kernel - 4.19.87
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
- Fix bug of unpacking tarballs failing when xattr is not supported (https://github.com/flatcar-linux/torcx/pull/2)
Updates:
Release Date: Dec 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.87
systemd - 1.30.0
- 241
Release Date: Nov 21, 2019 amd64
ignition - 0.33.0
kernel - 4.19.84
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
- Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
Updates:
Release Date: Nov 11, 2019 amd64
ignition - 0.33.0
kernel - 4.19.81
systemd - 1.30.0
- 241
Release Date: Oct 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.79
systemd - 1.30.0
- 241
Release Date: Oct 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix kernel crash with CephFS mounts, introduced in 2247.3.0 (#2616)
Updates:
- Linux 4.19.78
Release Date: Sep 25, 2019 amd64
ignition - 0.33.0
kernel - 4.19.75
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix kernel KVM guest escape (CVE-2019-14835)
- Fix race condition in Intel microprocessors (CVE-2019-11184)
Updates:
Release Date: Sep 13, 2019 amd64
ignition - 0.33.0
kernel - 4.19.71
systemd - 1.30.0
- 241
Release Date: Sep 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.69
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
Updates:
- Linux 4.19.69
Release Date: Aug 30, 2019 amd64
ignition - 0.33.0
kernel - 4.19.68
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)
Updates:
Release Date: Aug 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)
Updates:
- Linux 4.19.65
Flatcar updates
Bug fixes:
- Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
- Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
- Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)
Release Date: Aug 8, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)
Updates:
- Linux 4.19.65
Flatcar updates
Changes:
- Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)
Release Date: Aug 1, 2019 amd64
ignition - 0.33.0
kernel - 4.19.62
systemd - 1.30.0
- 241
Release Date: Jul 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.56
systemd - 1.30.0
- 241
Upstream Container Linux updates:
No changes for beta promotion
Release Date: Jul 3, 2019 amd64
ignition - 0.33.0
kernel - 4.19.55
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix Ignition panic when no
guestinfo.(coreos|ignition).config
parameters are specified on VMware (coreos/ignition#821)
Updates:
- Ignition 0.33.0
Release Date: Jul 1, 2019 amd64
ignition - 0.32.0
kernel - 4.19.55
systemd - 1.30.0
- 241
Release Date: Jun 19, 2019 amd64
ignition - 0.32.0
kernel - 4.19.50
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
Bug fixes:
- Fix invalid bzip2 compression of Container Linux release images (#2589)
Updates:
- Linux 4.19.50
Release Date: May 21, 2019 amd64
ignition - 0.32.0
kernel - 4.19.44
systemd - 1.30.0
- 241
Release Date: May 16, 2019 amd64
ignition - 0.31.0
kernel - 4.19.43
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)
Updates:
Release Date: May 8, 2019 amd64
ignition - 0.31.0
kernel - 4.19.36
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix systemd
MountFlags=shared
option (#2579)
Changes:
- Pin network interface naming to systemd v238 scheme (#2578)
Release Date: Apr 24, 2019 amd64
ignition - 0.31.0
kernel - 4.19.36
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Disable new sticky directory protections for backward compatibility (#2577)
Changes:
- Enable
atlantic
kernel module (#2576)
Updates:
- Linux 4.19.36
Release Date: Apr 17, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Disable new sticky directory protections for backwards compatibility (#2577)
Changes:
- Enable
atlantic
kernel module (#2576)
Updates:
- Linux 4.19.34
Release Date: Mar 26, 2019 amd64
ignition - 0.31.0
kernel - 4.19.31
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix systemd presets incorrectly handling escaped unit names (#2569)
Updates:
- Linux 4.19.31
Release Date: Mar 12, 2019 amd64
ignition - 0.30.0
kernel - 4.19.28
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix systemd-journald memory leak (#2564)
Updates:
- Linux 4.19.28
Release Date: Feb 27, 2019 amd64
ignition - 0.30.0
kernel - 4.19.25
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux use-after-free in
sockfs_setattr
(CVE-2019-8912) - Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)
Updates:
- Linux 4.19.25
Release Date: Feb 21, 2019 amd64
ignition - 0.30.0
kernel - 4.19.23
systemd - 1.30.0
- 238
Release Date: Feb 14, 2019 amd64
ignition - 0.30.0
kernel - 4.19.20
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix runc container breakout (CVE-2019-5736)
Changes:
- Revert
/sys/bus/rbd/add
to Linux 4.14 behavior (#2544)
Updates:
Release Date: Jan 30, 2019 amd64
ignition - 0.30.0
kernel - 4.19.18
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in ECC (CVE-2019-6486)
Updates:
Release Date: Jan 18, 2019 amd64
ignition - 0.29.1
kernel - 4.19.13
systemd - 1.30.0
- 238
Release Date: Dec 21, 2018 amd64
ignition - 0.28.0
kernel - 4.14.88
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
- Fix PolicyKit always authorizing UIDs greater than
INT_MAX
(CVE-2018-19788)
Updates:
Release Date: Dec 6, 2018 amd64
ignition - 0.28.0
kernel - 4.14.84
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Switch to the LTS Linux version 4.14.84 for the beta channel
Release Date: Nov 21, 2018 amd64
ignition - 0.28.0
kernel - 4.14.81
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
Updates:
- Linux 4.14.81
Release Date: Nov 8, 2018 amd64
ignition - 0.28.0
kernel - 4.14.79
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
- Fix systemd race allowing changing file permissions (CVE-2018-15687)
- Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)
Changes:
- Switch to the LTS Linux version 4.14.79 for the beta channel
Release Date: Oct 26, 2018 amd64
ignition - 0.28.0
kernel - 4.14.78
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git remote code execution during recursive clone (CVE-2018-17456)
Bug fixes:
- Fix missing kernel headers (#2505)
Updates:
Release Date: Oct 11, 2018 amd64
ignition - 0.28.0
kernel - 4.14.74
systemd - 1.30.0
- 238
Flatcar updates
Changes:
- Add new image signing subkey to
flatcar-install
(flatcar-linux/init#4)
Bug fixes:
- Fix
/usr/lib/coreos
symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)
Upstream Container Linux updates:
Changes:
- Switch to the LTS Linux version 4.14.74 for the beta channel
Release Date: Sep 14, 2018 amd64
ignition - 0.28.0
kernel - 4.14.69
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix Docker mounting named volumes (#2497)
Changes:
- Switch to the LTS Linux version 4.14.69 for the beta channel
Updates:
- intel-microcode 20180807a
Release Date: Sep 5, 2018 amd64
ignition - 0.26.0
kernel - 4.14.67
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Drop AWS PV images from regions which do not support PV
Updates:
- containerd 1.1.2
- Docker 18.06.1-ce
- intel-microcode 20180807a
- Linux 4.14.67
Release Date: Aug 17, 2018 amd64
ignition - 0.26.0
kernel - 4.14.63
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
- Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
Bug fixes:
- Fix PXE systems attempting to mount an ESP (#2491)
Changes:
- Switch to the LTS Linux version 4.14.63 for the beta channel
Release Date: Aug 8, 2018 amd64
ignition - 0.26.0
kernel - 4.14.60
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)
Bug fixes:
- Fix failure to mount large ext4 filesystems (#2485)
Updates:
- Linux 4.14.60
Release Date: Jul 31, 2018 amd64
ignition - 0.26.0
kernel - 4.14.59
systemd - 1.30.0
- 238
Release Date: Jul 26, 2018 amd64
ignition - 0.26.0
kernel - 4.14.57
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Switch to the LTS Docker version 18.03.1-ce for the beta channel
- Switch to the LTS Linux version 4.14.57 for the beta channel
Release Date: Jul 13, 2018 amd64
ignition - 0.25.1
kernel - 4.14.55
systemd - 1.30.0
- 238
Release Date: Jun 22, 2018 amd64
ignition - 0.25.1
kernel - 4.14.50
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Switch to the LTS Docker version 18.03.1-ce for the beta channel
- Switch to the LTS Linux version 4.14.50 for the beta channel
Release Date: Jun 15, 2018 amd64
ignition - 0.24.1
kernel - 4.14.49
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix TCP connection stalls (#2457)
Updates:
- Linux 4.14.49
Release Date: Jun 13, 2018 amd64
ignition - 0.24.1
kernel - 4.14.48
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix Hyper-V network driver regression (#2454)
Updates:
- Linux 4.14.48
Release Date: Jun 1, 2018 amd64
ignition - 0.24.1
kernel - 4.14.47
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
Bug fixes:
- Fix inadvertent change of network interface names (#2437)
- Fix failure to set network interface MTU (#2443)
Updates:
Release Date: May 26, 2018 amd64
ignition - 0.24.1
kernel - 4.14.42
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Switch to the LTS Docker version 18.03.1-ce for the beta channel
- Switch to the LTS Linux version 4.14.42 for the beta channel
Updates:
- Ignition 0.24.1
Release Date: May 11, 2018 amd64
ignition - 0.24.0
kernel - 4.14.39
systemd - 1.29.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
- Fix ntp denial of service from out of bounds read (CVE-2018-7182)
- Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
- Fix ntp remote code execution (CVE-2018-7183)
Updates:
- containerd 1.0.3
- Docker 18.03.1-ce
- Linux 4.14.39
- ntp 4.2.8p11
Release Date: Apr 26, 2018 amd64
ignition - 0.24.0
kernel - 4.14.35
systemd - 1.29.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix docker2aci tar conversion (#2402)
Changes:
- Switch to the LTS Linux version 4.14.35 for the beta channel
Release Date: Apr 25, 2018 amd64
ignition - 0.23.0
kernel - 4.14.30
systemd - 1.29.0
- 237
Flatcar updates
Initial Flatcar release.
Bug fixes:
- Fix GRUB crash at boot (#2284)
- Fix poweroff problems (#8080)
Notes:
- Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.
Upstream Container Linux updates:
Bug fixes:
- Fix kernel panic with vxlan (#2382)
ignition - 0.34.0
kernel - 5.10.25
systemd - 247
Security fixes
- Linux (CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039, CVE-2021-28375, CVE-2021-28660, CVE-2021-27218, CVE-2021-27219)
- Go (CVE-2021-27918, CVE-2021-27919)
- boost (CVE-2012-2677)
- glib (CVE-2021-28153, CVE-2021-27218, CVE-2021-27219)
- ncurses (CVE-2019-17594, CVE-2019-17595)
- openssl (CVE-2021-3449, CVE-2021-3450)
- zstd (CVE-2021-24032)
Bug Fixes
- GCE: The old interface name ens4v1 which was replaced by eth0 due to a broken udev rule was restored, but now as alternative interface name, and eth0 will stay the primary name for consistency across cloud environments. (init#38)
Changes
- The virtio network interfaces got predictable interface names as alternative interface names, and thus these names can also be used to match for a specific interface in case there is more than one and the eth0 and eth1 name assignment is not stable. (init#38)
- The pam_faillock PAM module was enabled as replacement for the removed pam_tally2 module and will temporarily lock an account if there were login attempts with a wrong password. The faillock command can be used to show the current state. With pam_tally2 there was no limit for wrong password login attempts but with faillock the default is already restricting the attempts. The default behavior was relaxed to allow 5 wrong passwords per two minutes, and a one minute account lock time. This does not apply to logins with an SSH key. (baselayout#17)
- The etcd and flannel services are now run with Docker and any rkt-based customizations of the etcd-member and flanneld services not supported anymore. Also, because the flanneld service relies on Docker and will restart Docker after applying the new configuration, it is not possible anymore to set Requires=flanneld.service for docker.service and instead it’s enough to have flanneld.service enabled. (coreos-overlay#857)
Updates
- Linux (5.10.25)
- Linux firmware (20210315)
- Go (1.15.10)
- boost (1.75.0)
- glib (2.66.8)
- ncurses (6.2)
- openssl (1.1.1k)
- open-iscsi (2.1.4)
- zstd (1.4.9)
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.10.21
systemd - 247
Security fixes
- Linux - (CVE-2020-25639, CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28039)
- containerd (GHSA-6g2q-w5j3-fwh4)
Bug fixes
- Include firmware files for all modules shipped in our image (Issue #359, PR #887)
- Add explicit path to the binary call in the coreos-metadata unit file (Issue #360)
Updates
ignition - 0.34.0
kernel - 5.10.19
systemd - 247
Security fixes
- Linux (CVE-2021-26931, CVE-2021-26930, CVE-2021-26932)
- openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
- intel-microcode (CVE-2020-8696, CVE-2020-8698)
Changes
- sshd: use secure crypto algos only (kinvolk/coreos-overlay#852)
- samba: Update to EAPI=7, add new USE flags and remove deps on icu (kinvolk/coreos-overlay#864)
- kernel: enable kernel config CONFIG_BPF_LSM (kinvolk/coreos-overlay#846)
- bootengine: set hostname for EC2 and OpenStack from metadata (kinvolk/coreos-overlay#848)
Updates
- Linux (5.10.19)
- systemd (247.3)
- intel-microcode (20210216)
- multipath-tools (0.8.5)
- openssl (1.1.1j)
- runc (1.0.0_rc93)
- SDK: Rust (1.50.0)
Deprecation
- dhcpcd and containerd-stress will be deprecated from Alpha, also from other channels in the future (kinvolk/coreos-overlay#858)
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.10.16
systemd - 247
Security fixes
- Linux (CVE-2021-3347, CVE-2021-3348, CVE-2021-26708, CVE-2021-20194)
- Docker (CVE-2021-21285, CVE-2021-21284)
- samba (CVE-2020-14318, CVE-2020-14323, CVE-2020-14383)
- openldap (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230)
- c-ares (CVE-2020-8277)
- coreutils (CVE-2017-7476)
- intel-microcode (CVE-2020-8698, CVE-2020-8694, CVE-2020-8695, CVE-2020-8696)
Bug fixes
- profile: filter out bullet point when parsing failed units (baselayout#16)
- app-crypt/trousers: use correct file permissions (coreos-overlay#809)
- sys-apps/systemd: Fix unit installation (coreos-overlay#810)
- passwd: use correct GID for tss(baselayout#15)
- flatcar-eks: add missing mkdir and update to latest versions(coreos-overlay#817)
- coreos-base/gmerge: Stop installing gmerge script (coreos-overlay#828)
- Update sys-apps/coreutils and make sure they have split-usr disabled for generic images (coreos-overlay#829)
Changes
- dev-lang/go: delete go 1.6 (coreos-overlay#827)
- sys-block/open-iscsi: Command substitution in iscsi-init system service (coreos-overlay#801)
- scripts/motdgen: Add OEM information to motd output (init#34)
- torcx: delete Docker 1.12 (coreos-overlay#826)
- portage update: update portage and related packages to newer versions (coreos-overlay#840)
- bin/flatcar-install: add parameters to make wget more resilient (init#35)
Updates
- Linux (5.10.16)
- Docker (19.03.15)
- go (1.15.8)
- c-ares (1.17.1)
- cri-tools (1.19.0)
- samba (4.12.9)
- openldap (2.4.57)
- coreutils (8.32)
- intel-microcode (20201112)
Deprecation
- Docker 1.12 will be deprecated from Alpha, also from other channels in the future.
Note: Please note that ARM images remain experimental for now.
Release Date: Jan 28, 2021 amd64
ignition - 0.34.0
kernel - 5.10.10
systemd - 247
Security fixes
- Linux - CVE-2020-28374, CVE-2020-36158
- go - CVE-2021-3114
- bsdiff - CVE-2020-14315
- curl - CVE-2020-8169, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286
- dhcpcd - CVE-2019-11577, CVE-2019-11766
- mit-krb5 - CVE-2020-28196
- sudo - CVE-2021-3156, CVE-2021-23239
Bug fixes
/etc/iscsi/initiatorname.iscsi
is generated by the iscsi-init service (#321)- Prevent iscsiadm buffer overflow (#318)
Changes
- Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (Issue #315 PR #774)
- The containerd socket is now available in the default location (
/run/containerd/containerd.sock
) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock
) (#771) - AWS Pro: include scripts to facilitate setup of EKS workers (#794).
- Missed from earlier notes: with the previous open-iscsi update to 2.1.2, the service unit name changed from iscsid to iscsi (#682)
Updates
- linux (5.10.10)
- systemd (247.2)
- curl (7.74.0)
- dhcpcd (8.1.9)
- open-iscsi (2.1.3)
- go (1.15.7)
- mit-krb5 (1.18.2-r2)
- open-vm-tools (11.2.5)
- rust (1.49.0)
- sudo (1.9.5p2)
Note: This alpha release includes only AMD64 images.
ignition - 0.34.0
kernel - 5.10.4
systemd - 246
Security fixes
- Linux
Bug fixes
- afterburn (coreos-metadata): Restart on failure and keep coreos-metadata unit active (kinvolk/coreos-overlay#768)
- networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)
Changes
- Updated nsswitch.conf to use systemd-resolved (kinvolk/baselayout#10)
- Enabled systemd-resolved stub listeners (kinvolk/baselayout#11)
- systemd-resolved: Disabled DNSSEC for the mean time (kinvolk/baselayout#14)
- kernel: enabled CONFIG_DEBUG_INFO_BTF (kinvolk/coreos-overlay#753)
- containerd: Switched to default upstream socket location while keeping a symlink for the previous location in Flatcar (kinvolk/coreos-overlay#771)
- containerd: Disabled shim debug logs (kinvolk/coreos-overlay#766)
Updates
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.9.14
systemd - 246
Security fixes
- bsdiff
- containerd
- pam
- Linux
- CVE-2020-29661
- CVE-2020-29660
- CVE-2020-27830
- CVE-2020-28588 (only affects 32-bit systems, Flatcar Container Linux is not affected)
- CVE-2020-27835 (only affects systems with Infiniband HF1 driver, Flatcar Container Linux is not affected)
Bug fixes
- The sysctl net.ipv4.conf.*.rp_filter is set to 0 for the Cilium CNI plugin to work (Flatcar#181)
- Package downloads in the developer container now use the correct URL again (Flatcar#298)
Changes
- A symlink
vimdiff
should not be created, if the USE flagminimal
is enabled. (Flatcar/#221) - The sysctl default config file is now applied under the prefix 60 which allows for custom sysctl config files to take effect when they start with a prefix of 70, 80, or 90 (baselayout#13)
- Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
- For users with a custom update server a machine alias setting in update-engine allows to give human-friendly names to client instances (update-engine#8)
- Enable BCMGENET as a module on arm64_defconfig-5.9 (coreos-overlay#717)
- Enable BCM7XXX_PHY as a module on arm64_defconfig-5.9 for Raspberry Pi 4 (coreos-overlay#716)
- Disable jpeg USE flag from QEMU (coreos-overlay#729)
- flatcar_production_qemu.sh: Use more CPUs for ARM if available (scripts#91)
Updates
- Linux (5.9.14)
- Linux firmware (20201118)
- Docker (19.03.14)
- containerd (1.4.3)
- pam (1.5.1)
- sqlite (3.33)
- SDK: Rust (1.47.0)
- SDK: Go (1.15.6)
- SDK: repo (2.8)
- SDK: dwarves (1.19)
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.9.11
systemd - 246
Security fixes
- glibc (CVE-2019-9169, CVE-2019-6488, CVE-2019-7309, CVE-2020-10029, CVE-2020-1751, CVE-2020-6096, CVE-2018-20796)
Bug fixes
- Added systemd-tmpfiles directives for /opt and /opt/bin to ensure that the folders have correct permissions even when /opt/ was once created by containerd (Flatcar#279)
Changes
- Enabled the kernel config HOTPLUG_PCI_ACPI for arm64 to support attaching EC2 volumes (PR#705)
Updates
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.9.8
systemd - 246
Security fixes:
- Linux - (CVE-2020-27673, CVE-2020-27675)
- Go - (CVE-2020-28362, CVE-2020-28367, CVE-2020-28366)
- glib (CVE-2019-12450)
- open-iscsi (CVE-2017-17840)
- samba (CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, CVE-2019-3880, CVE-2019-10218)
- shadow (CVE-2019-19882)
- sssd (CVE-2018-16883, CVE-2019-3811, CVE-2018-16838)
- trousers (CVE-2020-24330, CVE-2020-24331)
- cifs-utils (CVE-2020-14342)
- ntp (CVE-2020-11868, CVE-2020-13817, CVE-2018-8956, CVE-2020-15025)
- bzip2 (CVE-2019-12900)
Bug fixes:
- network: Restore KeepConfiguration=dhcp-on-stop (kinvolk/init#30)
- Make the automatic filesystem resizing more robust against a race and add more logging (kinvolk/init#31)
- Default again to waiting only for one network interface to be ready with systemd-networkd-wait-online which was missing in the initial systemd 246 update
- Default again to disabling IP Forwarding in systemd which was missing in the initial systemd 246 update
- Make systemd detect updates again when the /usr partition changes which was missing in the initial systemd 246 update
- Default again to set DefaultTasksMax=100% in systemd which was missing in the initial systemd 246 update
- Default again to disable SELinux permissions checks in systemd which was missing in the initial systemd 246 update
Changes:
- The zstd tools were added (version 1.4.4)
- The kernel config CONFIG_PSI was set to support Pressure Stall Information, more information also under https://facebookmicrosites.github.io/psi/docs/overview (Flatcar#162)
- The kernel config CONFIG_BPF_JIT_ALWAYS_ON was set to use the BPF just-in-time compiler by default for faster execution
- The kernel config CONFIG_DEBUG_INFO_BTF was set to support BTF metadata (BPF Type Format), one important piece for portability of BPF programs (CO-RE: Compile Once - Run Everywhere) through relocation
- The kernel config CONFIG_POWER_SUPPLY was set
- The kernel configs CONFIG_OVERLAY_FS_METACOPY and CONFIG_OVERLAY_FS_REDIRECT_DIR were set. With the first overlayfs will only copy up metadata when a metadata-specific operation like chown/chmod is performed. The full file will be copied up later when the file is opened for write operations. With the second, which is equivalent to setting “redirect_dir=on” in the kernel command-line, overlayfs will copy up the directory first before the actual content (Flatcar#170).
Updates:
- Linux (5.9.8)
- Linux firmware (20200918)
- systemd (246.6)
- bzip2 (1.0.8)
- cifs-utils (6.11)
- dbus-glib (0.110)
- elfutils (0.178)
- glib (2.64.5)
- ntp (4.2.8_p15)
- open-iscsi (2.1.2)
- samba (4.11.13)
- shadow (4.8)
- sssd (2.3.1)
- strace (5.9)
- talloc (2.3.1)
- tdb (1.4.3)
- tevent (0.10.2)
- SDK/developer container: GCC (9.3.0), binutils (2.35), gdb (9.2)
- SDK: Go (1.15.5)
- VMware: open-vm-tools (11.2.0)
ignition - 0.34.0
kernel - 5.8.16
systemd - 246
Security fixes:
- Linux - CVE-2020-27194
- c-ares - CVE-2017-1000381
- file - CVE-2019-18218
- json-c - CVE-2020-12762
- libuv - CVE-2020-8252
- libxml2 - CVE-2019-20388 CVE-2020-7595
- re2c - CVE-2020-11958
- tar - CVE-2019-9923
Bug fixes:
- Ensured that the
/etc/coreos
to/etc/flatcar
symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives forupdate:
orlocksmith:
while also reformatting the rootfs (baselayout PR#7) - Allow inactive network interfaces to be bound to a bonding interface, by encoding additional configuration for systemd-networkd-wait-online (afterburn PR #10)
- Azure: Exclude bonded SR-IOV driver mlx5-core from network interfaces managed by systemd-networkd (bootengine PR #19) (init PR #29)
- Do not configure ccache in Jenkins (scripts PR #100)
Changes:
- Remove unnecessary kernel module nf-conntrack-ipv4 (overlay PR#649)
Updates:
- Linux 5.8.16
- c-ares 1.61.1
- cryptsetup 2.3.2
- json-c 0.15
- libuv 1.39.0
- libxml2 2.9.10
- tar 1.32
- Go 1.15.3, 1.12.17 (only in SDK)
- file 5.39 (only in SDK)
- gdbus-codegen 2.64.5 (only in SDK)
- meson 0.55.3 (only in SDK)
- re2c 2.0.3 (only in SDK)
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.8.14
systemd - 246
Security fixes:
- Linux - CVE-2020-25645, CVE-2020-25643, CVE-2020-25211
Bug fixes:
- Ensured that the
/etc/coreos
to/etc/flatcar
symlink always exists, relevant for the Container Linux Config transpiler (ct) when specifying directives forupdate:
orlocksmith:
while also reformatting the rootfs (baselayout PR#7) - Azure: Exclude bonded SR-IOV network interfaces with newer drivers from networkd (in addition to the old drivers) to prevent them being configured instead of just the bond interface (init PR#29, bootengine PR#19)
Changes:
- Compress kernel modules with xz (overlay PR#628)
- Add containerd-runc-shim-v* binaries required by kubelet custom CRI endpoints (overlay PR#623)
- AWS arm64: Enable elastic network adapter module (overlay PR#631)
- Equinix Metal (Packet): Exclude unused network interfaces from networkd, disregard the state of the bonded interfaces for the
network-online.target
and only require the bond interface itself to have at least one active link instead ofroutable
which requires both links to be active (afterburn PR#10) - QEMU: Use flatcar.autologin kernel command line parameter for auto login on the console (Flatcar #71)
Updates:
Release Date: Sep 30, 2020 amd64
ignition - 0.34.0
kernel - 5.8.11
systemd - 245
Security fixes:
- Linux: CVE-2020-25284, CVE-2020-14390
- jq: CVE-2015-8863, CVE-2016-4074
- sqlite: CVE-2020-11656, CVE-2020-9327, CVE-2020-11655, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358
- tcpdump and libpcap: CVE-2018-10103, CVE-2018-10105, CVE-2018-16301, CVE-2019-15163, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16451, CVE-2018-16452, CVE-2019-15166, CVE-2018-19325, CVE-2018-14879, CVE-2017-16808, CVE-2018-19519, CVE-2019-15161, CVE-2019-15165, CVE-2019-15164, CVE-2019-1010220
- libbsd: CVE-2019-20367
- rsync: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
Bug fixes:
- Enabled missing systemd services (#191, PR #612)
- Fixed Docker torcx image unpacking error on machines with less than ~600 MB total RAM (#32)
- Solved adcli Kerberos Active Directory incompatibility (#194)
- Fixed the makefile path when building kernel modules with the developer container (#195)
- Removed the
/etc/portage/savedconfig/
folder that contained a dump of the firmware config flatcar-linux/coreos-overlay#613
Changes:
- GCE: Improved oslogin support and added shell aliases to run a Python Docker image (PR #592)
Updates:
- Linux 5.8.11
- Docker 19.03.13
- docker-runc 1.0.-rc92
- containerd 1.4.1
- adcli 0.9.0
- GCE: oslogin 20200910.00
- jq 1.6
- rsync 3.2.3
- tcpdump 4.9.3
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.8.9
systemd - 1.30.0
- 245
Bug fixes:
- Fix resetting of DNS nameservers in systemd-networkd units (PR#12)
Changes:
- Disable TX checksum offloading for the IP-in-IP tunl0 interface used by Calico (PR#26). This is a workaround for a Mellanox driver issue, currently tracked in Flatcar#183
- Set
sysctl net.ipv4.conf.(all|*).rp_filter
to 0 (instead of the systemd upstream value 2) to be less restrictive which some network solutions rely on (PR#11) - Update-engine now detects rollbacks and reports them as errors to the update server (PR#6)
flatcar-install
allows installation to a multipath drive (PR#24)- Support the
lockdown
kernel command line parameter (PR#533) - Update public key to include a new subkey
Updates:
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.4.61
systemd - 1.30.0
- 245
Bug fixes:
- Resolve ipset API incompatibility Flatcar#174
- Fix udev rule warning about ignored value Flatcar#164
- Add missing
render
group Flatcar#169
Changes:
- Mount
/sys/fs/bpf
into the toolbox container and allow BPF syscalls (PR#544) - Support loading BPF programs with
tc
Flatcar#172
Updates:
- Linux 5.4.61
- etcd-wrapper/etcdctl 3.3.25
- ipset 7.6
- iproute 5.8
- mdadm 4.1
- VMware: openvm-tools 11.1.5
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.4.59
systemd - 1.30.0
- 245
Security fixes:
- Bind: fixes for CVE-2020-8616, CVE-2020-8617, CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Bug fixes:
- etcd-wrapper: Adjust data dir permissions https://github.com/flatcar-linux/coreos-overlay/pull/536
Changes:
- Add drivers for qedf, qedi, qla4xxx as kernel modules https://github.com/flatcar-linux/coreos-overlay/pull/528
Updates:
ignition - 0.34.0
kernel - 5.4.55
systemd - 1.30.0
- 245
Bug Fixes:
- Improved logic for GPT disk UUID randomization to fix booting on Packet c3.medium.x86 machines (flatcar-linux/bootengine#17)
- gpg: add patches for accepting keys without UIDs (flatcar-linux/coreos-overlay#381)
- The static IP address configuration in the initramfs works again in the format
ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none[:<dns1>[:<dns2>]]
(flatcar-linux/bootengine#15)
Changes:
- Since version 245 systemd-networkd ignores network unit files with an empty
[Match]
section. Add aName=*
entry to match all interfaces. - Weave network interfaces are excluded from systemd-networkd (flatcar-linux/init#22)
- Enabled the mmio and vsock virtio kernel modules for Firecracker (flatcar-linux/coreos-overlay#485)
- Enabled CONFIG_IKHEADERS to expose kernel headers under
/sys/kernel/kheaders.tar.xz
- Vultr support in Ignition (flatcar-linux/ignition#13)
- VMware OVF settings default to ESXi 6.5 and Linux 3.x
Updates:
- Linux 5.4.55
- systemd v245
- Docker 19.03.12
- gnupg 2.2.20
- cryptsetup 2.0.3
- etcd 3.3.22
- etcdctl 3.3.22
- Go 1.13.14
- Rust 1.44.1
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.4.47
systemd - 1.30.0
- 243
Security Fixes:
- Malicious URLs can cause Git to expose private credentials CVE-2020-5260
- Similar to CVE-2020-5260, Malicious URLs can cause Git to expose private credentials CVE-2020-11008
Bugfixes:
- Include dig binary in ARM flatcar-linux/Flatcar#123
- Fix the login prompt issue in the ISO flatcar-linux/Flatcar#131
- app-admin/{kubelet, etcd, flannel}-wrapper: don’t overwrite the user supplied –insecure-options argument https://github.com/flatcar-linux/coreos-overlay/pull/426
Updates:
Note: Please note that ARM images remain experimental for now.
ignition - 0.34.0
kernel - 5.4.46
systemd - 1.30.0
- 243
Flatcar updates
Security fixes:
- Fix the Intel Microcode vulnerabilities (CVE-2020-0543)
Changes:
- A source code and licensing overview is available under
/usr/share/licenses/INFO
Updates:
ignition - 0.34.0
kernel - 5.4.41
systemd - 1.30.0
- 243
Flatcar updates
Security fixes:
- Fix e2fsprogs arbitrary code execution via crafted filesystem (CVE-2019-5094)
- Fix libarchive crash or use-after-free via crafted RAR file (CVE-2019-18408, CVE-2020-9308)
- Fix libgcrypt ECDSA timing attack (CVE-2019-13627)
- Fix libidn2 domain impersonation (CVE-2019-12290)
- Fix NSS crashes and heap corruption (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698, CVE-2018-18508, CVE-2019-11745)
- Fix OpenSSL overflow in Montgomery squaring procedure (CVE-2019-1551)
- Fix SQLite crash and heap corruption (CVE-2019-16168, CVE-2019-5827)
- Fix unzip heap overflow or excessive resource consumption via crafted archive (CVE-2018-1000035, CVE-2019-13232)
- Fix vim arbitrary command execution via crafted file (CVE-2019-12735)
Bug fixes:
- Revert adding the SELinux use flag for docker-runc until a regression is solved
- When writing the update kernel, prefer
/boot/coreos
only if/boot/coreos/vmlinux-*
exists (https://github.com/flatcar-linux/update_engine/pull/5) - Fixed sysroot-boot initramfs service race which resulted in a warning that this service failed
Changes:
- Support the CoreOS GRUB
/boot/coreos/first_boot
flag file (https://github.com/flatcar-linux/bootengine/pull/13) - Fetch container images in docker format rather than ACI by default in
etcd-member.service
,flanneld.service
, andkubelet-wrapper
- Add wireguard kernel module from wireguard-linux-compat
- Include
wg
(wireguard-tools) - Enable regex support for
jq
- Use
flatcar.autologin
kernel command line parameter on Azure for auto login on the serial console
Updates:
ignition - 0.34.0
kernel - 5.4.35
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Support both guestinfo.ignition.config and guestinfo.coreos.config in coreos-cloudinit (https://github.com/flatcar-linux/coreos-cloudinit/pull/4)
- Fix VMware guestinfo variable retrieval and add missing variables in ignition (https://github.com/flatcar-linux/ignition/pull/11)
- Use flatcar.autologin for the console in oem-vmware (https://github.com/flatcar-linux/coreos-overlay/pull/308)
- Log list of coredumps with coredumpctl in mayday (https://github.com/flatcar-linux/mayday/pull/8)
Updates:
ignition - 0.34.0
kernel - 4.19.113
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Use newest network interface naming scheme (https://github.com/flatcar-linux/Flatcar/issues/36)
- It is a possible breaking change for some persistent network interface names
- Fix coreos-cloudinit variable names (https://github.com/flatcar-linux/coreos-overlay/pull/206)
- Prefer /boot/coreos to write updates (https://github.com/flatcar-linux/update_engine/pull/2)
- Build a download URL in a safer way (https://github.com/flatcar-linux/update_engine/issues/3)
- Remove /boot/coreos/first_boot after a Ignition rerun on migration (https://github.com/flatcar-linux/bootengine/pull/10)
- Support coreos.config.url as kernel command line parameter for Ignition (https://github.com/flatcar-linux/ignition/pull/10)
- Make flannel cross-node traffic work with systemd > 242 (https://github.com/coreos/flannel/issues/1155, https://github.com/flatcar-linux/coreos-overlay/pull/279)
Changes:
- Add
tracepath
alongsidetraceroute6
(https://github.com/flatcar-linux/Flatcar/issues/50) - Extend logging capabilities of mayday (https://github.com/flatcar-linux/Flatcar/issues/61)
Updates:
ignition - 0.34.0
kernel - 4.19.106
systemd - 1.30.0
- 241
Flatcar updates
Bug fixes:
- Enable persistent network interface names already in the initramfs to fix https://github.com/coreos/bugs/issues/1767
- Do not error out in runc if SELinux is disabled on the system (https://github.com/flatcar-linux/coreos-overlay/pull/189)
- Bring back runc 1.0-rc2 for Docker 17.03 (https://github.com/flatcar-linux/coreos-overlay/pull/191)
- Use correct branch name format in developer container tools (https://github.com/flatcar-linux/dev-util/pull/2)
Updates:
- Linux 4.19.106
ignition - 0.34.0
kernel - 4.19.102
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix stack-based buffer overflow in sudo (CVE-2019-18634)
- Fix incorrect access control leading to privileges escalation in runc (CVE-2019-19921)
- Fix systemd use-after-free upon receiving crafted D-Bus message from local unprivileged attacker (CVE-2020-1712)
Bug fixes:
- Fix DNS resolution for the GCE metadata server (https://github.com/flatcar-linux/coreos-overlay/pull/160)
- Use correct URLs for flatcar-linux in emerge-gitclone and scripts (https://github.com/flatcar-linux/dev-util/pull/1) (https://github.com/flatcar-linux/scripts/pull/50)
- Fix a wrong profile reference in torcx (https://github.com/flatcar-linux/coreos-overlay/pull/162)
- Create symlink for /run/metadata/coreos (https://github.com/flatcar-linux/coreos-overlay/pull/166)
- Create symlink for flatcar-install (https://github.com/flatcar-linux/init/pull/14)
- Fix backwards compatibility issues for users to migrate from CoreOS Container Linux (https://github.com/flatcar-linux/Flatcar/issues/16 https://github.com/flatcar-linux/afterburn/pull/7 https://github.com/flatcar-linux/bootengine/pull/7 https://github.com/flatcar-linux/bootengine/pull/8 https://github.com/flatcar-linux/init/pull/16 https://github.com/flatcar-linux/init/pull/17 https://github.com/flatcar-linux/ignition/pull/8)
Changes:
- Build Flatcar tarballs to be used by containers (https://github.com/flatcar-linux/scripts/pull/51)
- Enable qede kernel module
Updates:
- Linux 4.19.102
- runc 1.0.0-rc10
- sudo 1.8.31
ignition - 0.34.0
kernel - 4.19.97
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix multiple Git vulnerabilities (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)
Updates:
Flatcar updates
- Linux 4.19.97
ignition - 0.33.0
kernel - 4.19.89
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix a denial-of-service issue via malicious access to
/dev/kvm
(CVE-2019-19332)
Bug fixes:
- Fix a bug when creating RAID0 arrays by setting the default layout (https://github.com/flatcar-linux/baselayout/pull/2)
Updates:
- Linux 4.19.89
ignition - 0.33.0
kernel - 4.19.87
systemd - 1.30.0
- 241
Flatcar updates
It is the first release done for both amd64 and arm64.
Bug fixes:
- Fix cross-build issues around WAF by creating wrappers (https://github.com/flatcar-linux/coreos-overlay/pull/137 https://github.com/flatcar-linux/coreos-overlay/pull/139)
Updates:
Release Date: Dec 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.87
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix heap-based buffer over-read in libexpat (CVE-2019-15903)
- Fix code injection around dynamic libraries in docker (CVE-2019-14271)
Bug fixes:
- Fix cross-build issues in rust by storing shell scripts under the source directory (https://github.com/flatcar-linux/coreos-overlay/pull/125)
- Fix bug in dealing with xattrs when unpacking torcx tarballs (https://github.com/flatcar-linux/torcx/pull/2)
Updates:
Release Date: Nov 25, 2019 amd64
ignition - 0.33.0
kernel - 4.19.84
systemd - 1.30.0
- 241
Flatcar updates
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling TSX or SMT on affected processors. (CVE-2019-11135, TAA)
- Fix Intel CPU denial of service by a malicious guest VM (CVE-2018-12207)
- Fix curl Kerberos FTP double free (CVE-2019-5481)
- Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5482)
- Fix OpenSSL key extraction attacks under non-default conditions (CVE-2019-1563, CVE-2019-1547)
- Fix panic caused by invalid DSA public keys in Go 1.12 and 1.13 (CVE-2019-17596)
Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
- Fix time zone for Brazil (#2627)
Updates:
Release Date: Nov 11, 2019 amd64
ignition - 0.33.0
kernel - 4.19.81
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix CFS scheduler throttling highly-threaded I/O-bound applications (#2623)
- Fix time zone for Brazil (#2627)
Updates:
Release Date: Oct 23, 2019 amd64
ignition - 0.33.0
kernel - 4.19.80
systemd - 1.30.0
- 241
Release Date: Oct 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.79
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix sudo allowing a user to run commands as root if configured to permit the user to run commands as everyone other than root (CVE-2019-14287)
Bug fixes:
- Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)
Updates:
Release Date: Oct 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.78
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix kernel crash with CephFS mounts, introduced in 2275.0.0 (#2616)
Updates:
- Linux 4.19.78
Release Date: Sep 25, 2019 amd64
ignition - 0.33.0
kernel - 4.19.75
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix dbus authentication bypass in non-default configurations (CVE-2019-12749)
- Fix kernel KVM guest escape (CVE-2019-14835)
- Fix race condition in Intel microprocessors (CVE-2019-11184)
Updates:
Release Date: Sep 13, 2019 amd64
ignition - 0.33.0
kernel - 4.19.71
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
Updates:
- Linux 4.19.71
Release Date: Sep 5, 2019 amd64
ignition - 0.33.0
kernel - 4.19.69
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix systemd-resolved bug allowing unprivileged users to change DNS settings (CVE-2019-15718)
Bug fixes:
- Fix GCE agent crash loop in new installs (#2608)
Updates:
- Linux 4.19.69
Release Date: Aug 30, 2019 amd64
ignition - 0.33.0
kernel - 4.19.68
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix libarchive out of bounds reads (CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503)
- Fix pam_systemd bug allowing authenticated remote users to perform polkit actions as if locally logged in (CVE-2019-3842)
- Fix polkit information disclosure and denial of service (CVE-2018-1116)
- Fix SQLite multiple vulnerabilities, the worst of which allows code execution (CVE-2019-5018, CVE-2019-9936, CVE-2019-9937)
- Fix wget buffer overflow allowing arbitrary code execution (CVE-2019-5953)
Updates:
Release Date: Aug 16, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Use secure_getenv to fix a vulnerability around XDG_SEAT in pam_systemd (https://github.com/coreos/systemd/pull/118) (CVE-2019-3842)
Updates:
- Linux 4.19.65
Flatcar updates
Bug fixes:
- Fix wrong key name for fw_cfg in ignition with QEMU (https://github.com/flatcar-linux/ignition/issues/2)
- Get SELinux context included in torcx tarballs (https://github.com/flatcar-linux/scripts/pull/16)
- Enable XattrPrivileged for untar to fix SELinux issue (https://github.com/flatcar-linux/torcx/pull/1)
Release Date: Aug 8, 2019 amd64
ignition - 0.33.0
kernel - 4.19.65
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux information leak attack vector via speculative side channel (CVE-2019-1125)
Updates:
- Linux 4.19.65
Flatcar updates
Changes:
- Add “-s” flag in flatcar-install to install to smallest disk (https://github.com/flatcar-linux/init/pull/7)
Release Date: Aug 1, 2019 amd64
ignition - 0.33.0
kernel - 4.19.62
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix Ignition fetching from S3 URLs when network is slow to start (ignition#826)
Updates:
- Linux 4.19.62
Release Date: Jul 17, 2019 amd64
ignition - 0.33.0
kernel - 4.19.58
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Fix Docker
device or resource busy
error when creating overlay mounts, introduced in 2191.0.0
Updates:
- Linux 4.19.58
Release Date: Jul 3, 2019 amd64
ignition - 0.33.0
kernel - 4.19.56
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix libexpat denial of service (CVE-2018-20843)
Bug fixes:
- Fix Ignition panic when no
guestinfo.(coreos|ignition).config
parameters are specified on VMware (coreos/ignition#821)
Updates:
Release Date: Jul 1, 2019 amd64
ignition - 0.32.0
kernel - 4.19.55
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)
Updates:
Release Date: Jun 19, 2019 amd64
ignition - 0.32.0
kernel - 4.19.50
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Linux TCP remotely-triggerable kernel panic and excessive resource consumption (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
Updates:
- Linux 4.19.50
Release Date: Jun 12, 2019 amd64
ignition - 0.32.0
kernel - 4.19.47
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Bug fixes:
- Temporarily revert bunzip2 change in 2163.0.0 causing decompression failures for invalid archives created by older versions of lbzip2, including Container Linux release images (#2589)
Release Date: Jun 6, 2019 amd64
ignition - 0.32.0
kernel - 4.19.47
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix curl TFTP buffer overflow with non-default block size (CVE-2019-5436)
Updates:
Release Date: May 21, 2019 amd64
Release Date: May 16, 2019 amd64
ignition - 0.32.0
kernel - 4.19.43
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix Intel CPU disclosure of memory to user process. Complete mitigation requires manually disabling SMT on affected processors. (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, MDS)
Updates:
Release Date: May 8, 2019 amd64
ignition - 0.32.0
kernel - 4.19.37
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix SQLite remote code execution (CVE-2018-20346)
- Fix GLib multiple vulnerabilities
Bug fixes:
- Fix systemd
MountFlags=shared
option (#2579)
Changes:
- Use Amazon’s recommended NVMe timeout for new EC2 installs (#2484)
- Pin network interface naming to systemd v238 scheme (#2578)
- Enable XDP sockets (#2580)
Updates:
Release Date: May 3, 2019 amd64
ignition - 0.32.0
kernel - 4.19.36
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix libseccomp privilege escalation (CVE-2019-9893)
Bug fixes:
- Disable new sticky directory protections for backward compatibility (#2577)
Changes:
- Enable
atlantic
kernel module (#2576)
Updates:
Release Date: Apr 9, 2019 amd64
ignition - 0.31.0
kernel - 4.19.34
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix libmspack vulnerabilities in the VMware agent for new installs (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)
Updates:
Release Date: Mar 26, 2019 amd64
ignition - 0.31.0
kernel - 4.19.31
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix OpenSSH
scp
allowing remote servers to change target directory permissions (CVE-2018-20685) - Fix OpenSSH outputting ANSI control codes from remote servers (CVE-2019-6109, CVE-2019-6110)
- Fix OpenSSH
scp
allowing remote servers to overwrite arbitrary files (CVE-2019-6111) - Fix OpenSSL side-channel timing attack (CVE-2018-5407)
- Fix OpenSSL padding oracle attack in misbehaving applications (CVE-2019-1559)
- Fix ntp
ntpd
denial of service by authenticated user (CVE-2019-8936) - Fix ntp buffer overflow in
ntpq
andntpdc
(CVE-2018-12327)
Bug fixes:
- Fix systemd presets incorrectly handling escaped unit names (#2569)
Updates:
Release Date: Mar 12, 2019 amd64
ignition - 0.31.0
kernel - 4.19.28
systemd - 1.30.0
- 241
Upstream Container Linux updates:
Security fixes:
- Fix tar local denial of service with
--sparse
option (CVE-2018-20482) - Fix wget local information leak (CVE-2018-20483)
Bug fixes:
- Fix systemd-journald memory leak (#2564)
Changes:
- Enable
vhost_vsock
kernel module (#2563)
Updates:
Release Date: Feb 27, 2019 amd64
ignition - 0.31.0
kernel - 4.19.25
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix curl vulnerabilities (CVE-2018-16839, CVE-2018-16840, CVE-2018-16842, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823)
- Fix Linux use-after-free in
sockfs_setattr
(CVE-2019-8912) - Fix systemd crash from a specially-crafted D-Bus message (CVE-2019-6454)
Updates:
- curl 7.64.0
- Docker 18.06.3-ce
- Ignition 0.31.0
- Linux 4.19.25
Release Date: Feb 14, 2019 amd64
ignition - 0.30.0
kernel - 4.19.20
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix runc container breakout (CVE-2019-5736)
Changes:
- Revert
/sys/bus/rbd/add
to Linux 4.14 behavior (#2544) - Add a new subkey for signing release images
Updates:
Release Date: Jan 30, 2019 amd64
ignition - 0.30.0
kernel - 4.19.18
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in ECC (CVE-2019-6486)
Updates:
Release Date: Jan 18, 2019 amd64
ignition - 0.30.0
kernel - 4.19.15
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd-journald privilege escalation (CVE-2018-16864, CVE-2018-16865)
- Fix systemd-journald out of bounds read (CVE-2018-16866)
- Fix ntpq, ntpdc buffer overflow (CVE-2018-12327)
- Fix etcd improper authentication with RBAC and client certs (CVE-2018-16886)
Changes:
- Add
ip_vs_mh
kernel module (#2542)
Updates:
Release Date: Jan 18, 2019 amd64
Release Date: Dec 21, 2018 amd64
ignition - 0.29.1
kernel - 4.19.9
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Go CPU denial of service in X.509 verification (CVE-2018-16875)
- Fix PolicyKit always authorizing UIDs greater than
INT_MAX
(CVE-2018-19788)
Bug fixes:
- Fix AWS, Azure, and GCE disk aliases in the initramfs for Ignition (#2531)
Updates:
Release Date: Dec 6, 2018 amd64
ignition - 0.28.0
kernel - 4.19.6
systemd - 1.30.0
- 238
Release Date: Nov 21, 2018 amd64
ignition - 0.28.0
kernel - 4.19.2
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Disable containerd CRI plugin to stop it from listening on a TCP port (#2524)
- Fix curl buffer overrun in NTLM authentication code (CVE-2018-14618)
- Fix OpenSSL TLS client denial of service (CVE-2018-0732)
- Fix OpenSSL timing side channel in DSA signature generation (CVE-2018-0734)
- Fix OpenSSL timing side channel via SMT port contention (CVE-2018-5407)
Updates:
Release Date: Nov 8, 2018 amd64
ignition - 0.28.0
kernel - 4.19.1
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix systemd re-executing with arbitrary supplied state (CVE-2018-15686)
- Fix systemd race allowing changing file permissions (CVE-2018-15687)
- Fix systemd-networkd buffer overflow in the dhcp6 client (CVE-2018-15688)
Bug fixes:
- Add AWS and GCE disk aliases in the initramfs for Ignition (#2481)
- Add compatibility
nf_conntrack_ipv4
kernel module to fix kube-proxy IPVS on Linux 4.19 (#2518)
Updates:
Release Date: Oct 26, 2018 amd64
ignition - 0.28.0
kernel - 4.19.0
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git remote code execution during recursive clone (CVE-2018-17456)
- Fix OpenSSH user enumeration (CVE-2018-15473)
- Fix Rust standard library integer overflow (CVE-2018-1000810)
Bug fixes:
- Fix missing kernel headers (#2505)
Updates:
Release Date: Oct 11, 2018 amd64
ignition - 0.28.0
kernel - 4.18.12
systemd - 1.30.0
- 238
Flatcar updates
Changes:
- Add new image signing subkey to
flatcar-install
(flatcar-linux/init#4)
Bug fixes:
- Fix
/usr/lib/coreos
symlink for Container Linux compatibility (flatcar-linux/coreos-overlay#8)
Upstream Container Linux updates:
Updates:
Release Date: Oct 1, 2018 amd64
ignition - 0.28.0
kernel - 4.18.9
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix Google Compute Engine OS Login activation (#2503)
Updates:
- Linux 4.18.9
Release Date: Sep 14, 2018 amd64
ignition - 0.28.0
kernel - 4.18.7
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
Changes:
- Add support for Google Compute Engine OS Login
- Enable support for Mellanox Ethernet switches
Updates:
Release Date: Aug 29, 2018 amd64
ignition - 0.28.0
kernel - 4.18.5
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Add CIFS userspace utilities (#571)
- Drop AWS PV images from regions which do not support PV
Updates:
- containerd 1.1.2
- Docker 18.06.1-ce
- Ignition 0.28.0
- Linux 4.18.5
- Rust 1.28.0
Release Date: Aug 17, 2018 amd64
ignition - 0.27.0
kernel - 4.17.15
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux remote denial of service (FragmentSmack, CVE-2018-5391)
- Fix Linux privileged memory access via speculative execution (L1TF/Foreshadow, CVE-2018-3620, CVE-2018-3646)
- Fix curl SMTP buffer overflow (CVE-2018-0500)
Bug fixes:
- Fix PXE systems attempting to mount an ESP (#2491)
Updates:
Release Date: Aug 8, 2018 amd64
ignition - 0.26.0
kernel - 4.17.12
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Linux local denial of service as Xen PV guest (CVE-2018-14678)
Bug fixes:
- Fix failure to mount large ext4 filesystems (#2485)
Updates:
- Linux 4.17.12
Release Date: Jul 31, 2018 amd64
ignition - 0.26.0
kernel - 4.17.11
systemd - 1.30.0
- 238
Release Date: Jul 26, 2018 amd64
ignition - 0.26.0
kernel - 4.17.9
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Changes:
- Add torcx remotes support
Updates:
- containerd 1.1.1
- Docker 18.06.0-ce
- intel-microcode 20180703
- Linux 4.17.9
- Update Engine 0.4.9
Release Date: Jul 5, 2018 amd64
ignition - 0.26.0
kernel - 4.17.3
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix curl buffer overflows (CVE-2018-1000300, CVE-2018-1000301)
- Fix Linux random seed during early boot (CVE-2018-1108)
Changes:
- Reads of
/dev/urandom
early in boot will block until entropy pool is fully initialized - Support friendly AWS EBS NVMe device names (#2399)
Updates:
Release Date: Jun 22, 2018 amd64
ignition - 0.26.0
kernel - 4.16.16
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix Hyper-V network driver regression (#2454)
Changes:
Updates:
Release Date: Jun 13, 2018 amd64
ignition - 0.25.1
kernel - 4.16.14
systemd - 1.30.0
- 238
Release Date: Jun 12, 2018 amd64
ignition - 0.25.1
kernel - 4.16.14
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix multiple procps vulnerabilities (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126, CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1126)
- Fix shadow privilege escalation (CVE-2018-7169)
- Fix samba man-in-the-middle attack (CVE-2016-2119)
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
Bug fixes:
- Fix failure to set network interface MTU (#2443)
- Fix inadvertent change of network interface names (#2437)
- Fix Docker bind mounts from root filesystem (#2440)
Changes:
- Update VMware virtual hardware version to 11 (ESXi > 6.0)
Updates:
Release Date: Jun 1, 2018 amd64
ignition - 0.25.1
kernel - 4.16.13
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix Git arbitrary code execution when cloning untrusted repositories (CVE-2018-11235)
Bug fixes:
- Fix failure to set network interface MTU (#2443)
Updates:
Release Date: May 27, 2018 amd64
ignition - 0.25.1
kernel - 4.16.10
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
Release Date: May 26, 2018 amd64
ignition - 0.25.1
kernel - 4.16.10
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix ncurses denial of service and arbitrary code execution (CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733, CVE-2017-13734, CVE-2017-16879)
- Fix rsync arbitrary command execution (CVE-2018-5764)
- Fix wget cookie injection (CVE-2018-0494)
Changes:
- Enable QLogic FCoE offload support (#2367)
- Enable hardware RNG kernel drivers (#2430)
- Add
notrap
to ntpd default access restrictions (#2220) - Allow booting default GRUB menu entry if GRUB password is enabled (#1597)
coreos-install -i
no longer modifiesgrub.cfg
(#2291)- QEMU wrapper script now enables VirtIO RNG device
Updates:
Release Date: May 11, 2018 amd64
ignition - 0.24.0
kernel - 4.16.7
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Bug fixes:
- Fix GRUB free magic error on existing systems (#2400)
Changes:
- Support storing sudoers in SSSD and LDAP
- No longer publish Oracle Cloud release images
Updates:
Release Date: Apr 26, 2018 amd64
ignition - 0.24.0
kernel - 4.16.3
systemd - 1.30.0
- 238
Upstream Container Linux updates:
Security fixes:
- Fix ntp clock manipulation from ephemeral connections (CVE-2016-1549, CVE-2018-7170)
- Fix ntp denial of service from out of bounds read (CVE-2018-7182)
- Fix ntp denial of service from packets with timestamp 0 (CVE-2018-7184, CVE-2018-7185)
- Fix ntp remote code execution (CVE-2018-7183)
Bug fixes:
- Pass
/etc/machine-id
from the host to the kubelet - Fix docker2aci tar conversion (#2402)
- Switch
/boot
from FAT16 to FAT32 (#2246)
Changes:
- Make Ignition failures more visible on the console
Updates:
Release Date: Apr 25, 2018 amd64
ignition - 0.24.0
kernel - 4.15.15
systemd - 1.29.0
- 238
Flatcar updates
Initial Flatcar release.
Notes:
- Previous test images have been removed from the release servers. This is due to a new update key being generated using our updated security policy which we included in the first public image.
Upstream Container Linux updates:
Security fixes:
- Fix curl out of bounds read (CVE-2018-1000005)
- Fix curl authentication data leak (CVE-2018-1000007)
- Fix curl buffer overflow (CVE-2018-1000120)
- Fix glibc integer overflow in libcidn (CVE-2017-14062)
- Fix glibc memory issues in
glob()
with~
(CVE-2017-15670, CVE-2017-15671, CVE-2017-15804) - Fix glibc mishandling RPATHs with
$ORIGIN
on setuid binaries (CVE-2017-16997) - Fix glibc buffer underflow in
realpath()
(CVE-2018-1000001) - Fix glibc integer overflow and heap corruption in
memalign()
(CVE-2018-6485)
Bug fixes:
- Fix GRUB crash at boot (#2284)
Updates:
Release Date: Mar 25, 2021 amd64
ignition - 0.34.0
kernel - 5.4.107
systemd - 246
Security fixes
- Linux (CVE-2021-28375, CVE-2021-28660, CVE-2021-27363, CVE-2021-27365, CVE-2021-28038, CVE-2021-27364, CVE-2020-25639)
- openssl (CVE-2021-23840, CVE-2021-23841, CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3450)
Updates
Release Date: Mar 2, 2021 amd64
ignition - 0.34.0
kernel - 5.4.101
systemd - 246
Security fixes
- Linux - CVE-2021-20194, CVE-2021-3348, CVE-2020-27825, CVE-2021-3347, CVE-2021-26931, CVE-2021-26930, CVE-2021-26932
Bug fixes
- login message (motd): filter out bullet point when parsing failed units (baselayout#16)
- tcsd.service: use correct file permissions (coreos-overlay#809)
- Use LTS 2021 as OS codename instead of the wrong LTS 2020 name
- Flatcar Pro for AWS: flatcar-eks: add missing mkdir and update to latest versions (coreos-overlay#817)
Updates
- Linux 5.4.101
Release Date: Feb 2, 2021 amd64
ignition - 0.34.0
kernel - 5.4.92
systemd - 246
Security fixes
- Linux CVE-2020-27815, CVE-2020-29568, CVE-2020-29569, CVE-2020-28374, CVE-2020-36158
- Go CVE-2021-3114
- sudo CVE-2021-3156, CVE-2021-23239
Bug fixes
- networkd: avoid managing MAC addresses for veth devices (kinvolk/init#33)
/etc/iscsi/initiatorname.iscsi
is generated by the iscsi-init service (#321)- Prevent iscsiadm buffer overflow (#318)
- Revert to building docker and containerd with go1.13 instead of go1.15. This reduces the SIGURG log spam (#315)
Changes
- The containerd socket is now available in the default location (
/run/containerd/containerd.sock
) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock
) (#771) - With the iscsi update, the service unit has changed from iscsid to iscsi (#791)
- AWS Pro: include scripts to facilitate setup of EKS workers (#794)
Updates
Release Date: Dec 16, 2020 amd64
ignition - 0.34.0
kernel - 5.4.83
systemd - 246
Changes:
- The Linux kernel is compiled with FIPS support
- Containerd CRI plugin got enabled by default, only the containerd socket path needs to be specified as kubelet parameter for Kubernetes 1.20 to use containerd instead of Docker (Flatcar#283)
Updates:
- Linux (5.4.83)
- Docker (19.03.14)
- containerd (1.4.3)
- systemd (246.6)