Releases: kairos-io/kairos
v3.2.4
What's Changed
Highlights:
- Bumps kairos-agent to v2.15.5
- Processes datasources in all cases except UKI normal boot to prevent malicious actors from pluging USB sticks with additional configuration after installation (#3035)
- Fixes machine-id in alpine (#3066)
- Bumps k3s patch versions
- Various dependency version bumps (see below)
More:
- ⬆️ Update Update github/codeql-action action to v3.27.4 by @renovate in #3015
- ⬆️ Update Update aquasec/trivy Docker tag to v0.57.1 by @renovate in #3022
- ⬆️ Update Update slackapi/slack-github-action action to v1.27.1 by @renovate in #3016
- 🐧 Enable boot assesment for UKI by @Itxaka in #3034
- ⬆️ Update Update github/codeql-action digest to f09c1c0 by @renovate in #3014
- ⬆️ Update Update github/codeql-action action to v3.27.5 by @renovate in #3030
- ⬆️ Update Update module github.com/onsi/ginkgo/v2 to v2.22.0 by @renovate in #3031
- ⬆️ Update Update anchore/grype Docker tag to v0.85.0 by @renovate in #3033
- ⬆️ Update Update kairos-io/linting-composite-action action to v0.0.10 by @renovate in #3021
- Remove enki references from the Earthfile and pipelines by @jimmykarily in #3042
- ⬆️ Update Update dependency go to v1.23.4 by @renovate in #3047
- ⬆️ Update Update github/codeql-action action to v3.27.6 by @renovate in #3048
- Bump auroraboot to v0.4.0 to fix root permission to 755 by @jimmykarily in #3051
- Bump auroraboot image by @jimmykarily in #3055
- Use cached image again (now that we pushed 1.23) by @jimmykarily in #3058
- ⬆️ Update Update module github.com/mudler/edgevpn to v0.28.4 by @renovate in #3023
- ⬆️ Update Update github/codeql-action action to v3.27.7 by @renovate in #3071
- Add missing package that makes debian:testing unbootable by @jimmykarily in #3074
- Bump framework to 2.14.5 by @jimmykarily in #3075
- Bump framework and auroraboot image by @jimmykarily in #3077
- Downgrade kairos-agent by bumping framework by @jimmykarily in #3082
- Bump framework to downgrade k3s to non-rc versions by @jimmykarily in #3083
- Log files no longer have hardcoded names, use a glob for the test by @jimmykarily in #3078
- Install systemd-cryptsetup only in debian testing by @jimmykarily in #3084
Full Changelog: v3.2.3...v3.2.4
v3.2.3
✨ Improvements
- Mainly bugfixes and dependency bumps across the aisle
- Upgrading to v3.2.3 from Kubernetes was fixed #3010
- Updated Yip across all packages to v1.12.0 which brings some nice improvements
- Timesyncd now writes the config to an override instead of removing the default config file
- User recreation now tries to get more info about the UID if the user previously existed in order to use the same UID
- Stages that take too long to execute now will log every 10 seconds to let the user now that the stage is stillbeing executed
⬆️ Dependencies
kairos-framewok was updated from v2.15.3 to v2.15.4 which brought the following updates (only showing updated packages):
Package | Old version | New version |
---|---|---|
suc-upgrade | 0.3.0 | 0.3.1 |
immucore | 0.6.0 | 0.6.1 |
kairos-agent | 2.15.3 | 2.15.4 |
Notables changes in the packages:
- suc-upgrade:
- Fixes a wrong path when checking for
kairos-release
/os-release
on kubernetes upgrade #3010
- Fixes a wrong path when checking for
- immucore:
- Dependency bumps, including yip from v1.11.0 to v1.12.0
- kairos-agent:
- Respect user defined/default sizes on upgrade instead of defaulting to the image size
- Fix partitioner on disks with sector size other than 512
- Fix and validate schema for disk devices
- Enable debug logs asap, so yip calls via the agent also have the debug level if requested
- Dependency bumps, including yip from v1.11.0 to v1.12.0
Full Changelog: v3.2.2...v3.2.3
v3.2.2
Caution
We have identified a potential issue when upgrading from older versions into 3.2.2 via Kubernetes with suc-upgrade
If your upgrade scenario is via Kubernetes, we recommend NOT upgrading to this version and waiting for v3.2.3 which should be release between the 13th and 14th of November as a follow up to this release.
If you still need to upgrade, check #3010 for a workaround
✨ Improvements
- Move kairos vars to their own file by @Itxaka in #2908
- Now all the kairos vars are stored into /etc/kairos-release to not contaminate the system os-release
- Add ubuntu 24.10 flavor by @mauromorales in #2930
- Now you can enjoy the latest 24.10 ubuntu released in Kairos fashion
- Build Ubuntu 24.04 Standard Image UKI on Github by @bencorrado in #2940
- Now the released UKI base images provide a standard image that contains K3S for ease of consuming and generating Trusted Boot images.
- Yip was updated across the system to version v1.11.0 which brings:
- New trace level log output for extra logs
- Move some logs from debug to trace to make debug logs clearer
- Add missing name to stages that didnt have names for easy identification of the steps
- Dont log empty command output
- Do not duplicate errors when logging out
- Nicer steps dump when running on debug
- On failures print the source file for the errored step
- Kairos-agent now allows installing a system with no users.
- Can be enabled by setting the
install.nousers
totrue
- This will install a system with no users, thus blocked from sshing into it or login via physical methods
- Can be enabled by setting the
- Kairos-agent now checks the system configurations to validate user+admin
- At least one user needs to be added to the configs
- At least one user needs to be in the admin group
- Our configs set a Kairos user by default but this might change int he future and no users may be shipped by default, so we may consider the default kairos user bundled with our configs deprecated
- This check can be skipped by the new setting
install.nousers
⬆️ Dependencies
kairos-framewok was updated from v2.12.4 to v2.14.3 which brought the following updates (only showing updated packages):
Package | Old version | New version |
---|---|---|
suc-upgrade | 0.2.3 | 0.3.0 |
kairos-overlay-files | 1.1.58 | 1.5.1 |
immucore | 0.5.1 | 0.6.0 |
kairos-agent | 2.14.7 | 2.15.3 |
Notables changes in the packages:
- suc-upgrade:
- Will try to read the current release from
/etc/kairos-release
instead of/etc/os-release
- Will try to read the current release from
- immucore:
- Dependency bumps, including yip from v1.10.0 to v1.11.0 which includes a nicer log output and mentioning the sources for stages on failures.
- kairos-overlay-files:
- Use
/etc/kairos-release
instead of/etc/os-release
- Drop duplicated entries in defautl cmdlines
- Drop duplicated filesystem expansion step
- Pull datasources only during Install
- Use
- kairos-agent:
- Use
/etc/kairos-release
instead of/etc/os-release
- Allow to install with no users by setting the
install.nousers
key totrue
in the config file. This allows to install a system with zero default users. - Validate that we have users in the config files and at least 1 is admin during install and upgrade to avoid installing/upgrading a system with no users and being locked out of the system. Can be override witht he above
install.nousers
key. - Read actual system configs during k8s upgrade. During k8s upgrade we were scanning the upgraded container for cloud config files, which skipped the actual system files.
- Dependency bumps, including yip from v1.10.0 to v1.11.0 which includes a nicer log output and mentioning the sources for stages on failures.
- Use
New Contributors
- @bencorrado made their first contribution in #2942
Full Changelog: v3.2.1...v3.2.2
v3.2.1
What's Changed
✨ Improvements
- Show sources in config string by @jimmykarily in kairos-io/kairos-agent#550
- Now when checking the configs you will see the sources uses to generate them
- Expose the Analize method of
kairos-agent run-stage
by @Itxaka in kairos-io/kairos-agent#548- now
kairos-agent runstage
can be run with the flag--analyze
or-a
to only show what steps would be run from a given stage and in the order they will be run.
- now
- Accept more paths to devices for install by @Itxaka in kairos-io/kairos-agent#552
- Now the install target accepts devices identified by
/dev/disk/by-{uuid,label,path,diskseq}
- Now the install target accepts devices identified by
⬆️ Dependencies
🐛 Fixed bugs
- Add missing binary to nvidia images by @Itxaka in #2918
- Dracut immucore should fatal if binaries are missing in #2692
- Alpine initrd should mount the livecd under /run/initramfs/live in #2912
- systemd-networkd-wait-online fails with multiple ethernet where one or more is disconnected in #2898
- AuroraBoot doesn't copy cloud config file in #2876
- Fix partitioner not identifying mmc/nvme partitions by @Itxaka in kairos-io/kairos-agent#563
- Fix reset by @Itxaka in kairos-io/kairos-agent#565
- Fix mkfs using the wrong label for the fs label by @Itxaka in kairos-io/kairos-agent#556
🤖 CI related
- Revert the trivy DB changes by @Itxaka in #2889
- Cache trivy by @jimmykarily in #2910
- Cache trivy in one more pipeline by @jimmykarily in #2913
- Cache even more trivy by @jimmykarily in #2914
- Install arm64 earthly by @Itxaka in #2916
Full Changelog: v3.2.0...v3.2.1
v3.2.1-rc1
What's Changed
- 🤖 Revert the trivy DB changes by @Itxaka in #2889
- Cache trivy by @jimmykarily in #2910
- Cache trivy in one more pipeline by @jimmykarily in #2913
- Cache even more trivy by @jimmykarily in #2914
- Install arm64 earthly by @Itxaka in #2916
- ⬆️ Bump framework by @Itxaka in #2915
- 🐛 Add missing binary to nvidia images by @Itxaka in #2918
Full Changelog: v3.2.0...v3.2.1-rc1
v3.2.0
This is a "milestone" release as is signifies the completeness of a set of planned stories. You can see what was planned for the v3.2.0 release in the relevant ticket: #2052
What's Changed
- Fixed recovery reset (kairos-io/kairos-agent#565)
- Make it possible to refer to disks using labels and ids (device names was the only option up to now) (kairos-io/kairos-agent#563, kairos-io/kairos-agent#558, kairos-io/kairos-agent#552)
- Make the kairos-agent skip yip config directories when parsing for installation/upgrade/reset configuration and allow users to override built-in configuration using datasource by parsing
/oem
last (kairos-io/kairos-agent#562) - Show merged configs as a comment in the final kairos config and when running
kairos-agent config
command (kairos-io/kairos-agent#550) - Expose the "analyze" method of yip in the
kairos-agent run-stage
command (kairos-io/kairos-agent#548) - Update aquasec/trivy Docker tag to v0.55.2 by @renovate in #2867
- Update github/codeql-action action to v3.26.8 by @renovate in #2873
- 🤖 Allow testing provider dev versions by @Itxaka in #2870
- 🐛 Do not bindly install all tpm2 tools by @Itxaka in #2884
- Store logs on earthly by @Itxaka in #2880
- :Robot: Cache triby DB before running the build by @Itxaka in #2885
- Bump framework by @Itxaka in #2891
- Test selecting disk by uuid+label by @Itxaka in #2877
- Don't run both rngd and haveged by @jimmykarily in #2890
- 🤖 Add missing secrets: inherit by @Itxaka in #2897
- Update quay.io/kairos/framework Docker tag to v2.12.1 by @renovate in #2902
Full Changelog: v3.1.3...v3.2.0
v3.2.0-rc1
See the v3.2.0 release notes - This was an rc
v3.1.3
Release highlights:
- In the previous release, we introduced a fix for the broken permissions of the user's home directory. It turned out that the fix only applied to users created by the top level
users:
key in the Kairos configuration file. In this release, users created in various stages will also get their home directory permissions fixed. If for some reason, you don't want the script to recursively fix the home directory permissions, you can create a sentinel file to skip the fix and apply it on your own as you see fit. - Fixed an issue where we didn't calculate the upgrade image size and the always created an image with the default size (#2818)
- Fixed an issue in Kairos upgrades through Kuberentes, where various host directories were also used in image size calculation (kairos-io/kairos-agent#537)
- We now display the webui url below the QR code to avoid people having to plug a keyboard just to find the IP address of the node (#2826)
- Fixed a bug in Alpine flavors where we passed the edgevpn arguments in the openrc service file wrongly (#2789)
- Lots of version bumps on dependencies (mostly automated).
Known Issues
- [Carry over from previous releases] RPi EFI booting no longer supported on kernels shipped with Ubuntu 24.04+ #2249
What's Changed
- Add permissions to generic arm release pipeline by @mauromorales in #2840
- Update tj-actions/changed-files action to v45 by @renovate in #2816
- Add upgrade uki test by @jimmykarily in #2776
- Update dependency go to v1.23.1 by @renovate in #2845
- Generate relative paths to files by @jimmykarily in #2846
- 🤖 Make arm64 workers use docker mirror by @Itxaka in #2850
- 🐛 Fix wifi cloud-config example by @jimmyjones2 in #2820
- 📖 Add alpine wifi cloud-config by @jimmyjones2 in #2819
- Update anchore/grype Docker tag to v0.80.1 by @renovate in #2852
- Update aquasec/trivy Docker tag to v0.55.0 by @renovate in #2781
- Update aquasec/trivy Docker tag to v0.55.1 by @renovate in #2854
- Update github/codeql-action action to v3.26.6 by @renovate in #2799
- Fix test printing old value for debugging by @jimmykarily in #2855
- Update google/osv-scanner-action action to v1.8.5 by @renovate in #2853
- Update quay.io/kairos/framework Docker tag to v2.11.5 by @renovate in #2856
- Update github/codeql-action action to v3.26.7 by @renovate in #2858
- Update quay.io/kairos/framework Docker tag to v2.11.7 by @renovate in #2859
- Split the uploading of trivy and grype results by @jimmykarily in #2860
New Contributors
- @jimmyjones2 made their first contribution in #2820
Full Changelog: v3.1.2...v3.1.3
v3.1.2
⚠️ The following issues have been resolved, so it is safe to upgrade again:
Kairos user ids change on upgrade, breaking ssh login #2797
Long duration hang during boot #2802
What's Changed
- 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
- 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
- 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
- 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808
Full Changelog: v3.1.1...v3.1.2
v3.1.2-rc1
What's Changed
- Update softprops/action-gh-release action to v2.0.8 by @renovate in #2751
- Update manual tests by @mauromorales in #2747
- Update github/codeql-action action to v3.25.13 by @renovate in #2750
- Remove ubuntu 23.10 from the pipelines by @jimmykarily in #2756
- Update tj-actions/changed-files digest to 6b2903b by @renovate in #2746
- Update github/codeql-action digest to 2d79040 by @renovate in #2749
- Update docker/login-action digest to 9780b0c by @renovate in #2754
- Run arm jobs under arm workers by @Itxaka in #2757
- Update github/codeql-action action to v3.25.14 by @renovate in #2763
- Update module github.com/onsi/ginkgo/v2 to v2.19.1 by @renovate in #2768
- Update github/codeql-action action to v3.25.15 by @renovate in #2767
- Add manual test for edgevpn setup by @jimmykarily in #2771
- 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
- Update ossf/scorecard-action action to v2.4.0 by @renovate in #2769
- Update docker/setup-buildx-action digest to 988b5a0 by @renovate in #2755
- Update github/codeql-action digest to afb54ba by @renovate in #2762
- Update renovate/renovate Docker tag to v38 by @renovate in #2765
- Update module github.com/onsi/gomega to v1.34.1 by @renovate in #2764
- 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
- Update tj-actions/changed-files digest to c65cd88 by @renovate in #2780
- Update quay.io/luet/base Docker tag to v0.35.4 by @renovate in #2783
- 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
- Update actions/upload-artifact digest to 89ef406 by @renovate in #2786
- Update actions/upload-artifact action to v4.3.5 by @renovate in #2787
- 🔧 Allow testing overlya files branches by @Itxaka in #2791
- Update module github.com/mudler/edgevpn to v0.27.0 by @renovate in #2803
- Update actions/upload-artifact action to v4.3.6 by @renovate in #2795
- Update google/osv-scanner-action action to v1.8.3 by @renovate in #2801
- Update dependency go to v1.23.0 by @renovate in #2796
- Update module github.com/mudler/edgevpn to v0.27.2 by @renovate in #2812
- Update github.com/mudler/go-processmanager digest to 8b802d3 by @renovate in #2811
- 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808
- Update module github.com/onsi/ginkgo/v2 to v2.20.1 by @renovate in #2815
- Update module github.com/mudler/edgevpn to v0.27.3 by @renovate in #2814
- Update google/osv-scanner-action action to v1.8.4 by @renovate in #2817
- Update module github.com/mudler/edgevpn to v0.27.4 by @renovate in #2822
- Update module github.com/onsi/ginkgo/v2 to v2.20.2 by @renovate in #2829
- Update quay.io/luet/base Docker tag to v0.35.5 by @renovate in #2831
- Update module github.com/onsi/gomega to v1.34.2 by @renovate in #2830
Full Changelog: v3.1.1...v3.1.2-rc1